topic Folks, please help me in in Network Security

NAT Issue

syedhashmi455 — Tue, 12 Mar 2019 04:24:38 GMT

Hi Friends

Please guide me if my configuration is ok. I amnot able to ping the public ip throughthe ASA resulting in failure to login to the sip server.

I need to nat the inside network to outside.

Nat required between
88.55.164.10 to 101.164.50.50
88.55.164.11 to 101.164.50.25

Please note the version of ASA below:
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.1(6)

I have configured as below

access-list 200 extended permit tcp any host 88.55.164.10
access-list 200 extended permit tcp any host 88.55.164.11
access-group 200 in interface outside

object network obj_sip-101.164.50.50
host 101.164.50.50
object network obj_sip_1-101.164.50.25
host 101.164.50.25

object network obj_sip-101.164.50.50
nat (inside,outside) static 88.55.164.10
object network obj_sip_1-101.164.50.25
nat (inside,outside) static 88.55.164.11

Regards,

Ahmed

Folks, please help me in

syedhashmi455 — Tue, 01 Jul 2014 12:03:50 GMT

Folks, please help me in sorting this out as I need to settle this down today

When you are saying that you

Marius Gunnerud — Tue, 01 Jul 2014 12:38:30 GMT

When you are saying that you can not ping the public IP through the ASA, which IP are you trying to ping?

Are you able to ping the internet from any of those two servers (50.50 and 50.25)?

could you issue the following packet tracer on the ASA:

packet-tracer input inside tcp 101.164.50.25 12345 4.2.2.2 5060 detail

packet-tracer input inside tcp 101.164.50.50 12345 4.2.2.2 5060 detail

Could you please post the full ASA configuration (sanitised)? I feel it is easier to troubleshoot when seeing the whole picture.

Please remember to select a correct answer and rate helpful posts

Hi Marius,Please check the

syedhashmi455 — Tue, 01 Jul 2014 12:56:55 GMT

Hi Marius,

Please check the ASA config attached.

Also check the topology attached. I am trying to acheive the nat mentioned in the topology.

I am not able to launch the application if the user is connected from outside.

Regards,

Ahmed

At first glance you do not

Marius Gunnerud — Tue, 01 Jul 2014 13:05:10 GMT

At first glance you do not have any ACLs applied that allow access from the outside in. You would need to add the following commands:

no access-list outside_access_in extended permit ip host 88.55.164.10 any

no access-list outside_access_in extended permit ip any host 88.55.164.10

access-list outside_access_in extended permit ip any host 101.164.50.25

access-list outside_access_in extended permit ip any host 101.164.50.50

access-group outside_access_in in interface outside

Keep in mind that you will now be allowing all traffic in to those hosts. If possible it would be best to identify the exact ports that you need to have opened and only open for those ports.

Add these commands and then test.

Please remember to select a correct answer and rate helpful posts

bingo, thank you so much.

syedhashmi455 — Tue, 01 Jul 2014 13:23:38 GMT

bingo, thank you so much. resolved

Thank you for the rating ☺

Marius Gunnerud — Tue, 01 Jul 2014 13:28:21 GMT

Thank you for the rating ☺