https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824216#M489678 <HTML><HEAD></HEAD><BODY><P> In LAB you can route your packets from Public to Private IP but in real world 192.168.x.x is private IP and not routed over internet.</P><P> So only way to connect would be NATTED IP and if you want to access on 192.168.x.x then VPN solution. No other way.</P></BODY></HTML> Fri, 30 Dec 2011 19:15:10 GMT ajay chauhan 2011-12-30T19:15:10Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824213#M489672 <P>Current translations is an established stable network translation:</P><P>static (inside,outside) 10.144.158.7 192.168.100.20</P><P>access-list allows port 80</P><P></P><P><SPAN style="text-decoration: underline;">While maintaining the above translation</SPAN> we have been ask by the developers to allow direct access to 192.168.100.20 for a secure socket connection on port 443. I did a similar thing during a data center migration by doing this.</P><P>static (inside,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0</P><P>static (inside,outside) 10.144.158.7 192.168.100.20 netmask 255.255.255.255</P><P>This configuration was in place for months with out issue.</P><P></P><P>client connecting to 192.168.100.20 connected to 192.168.100.20</P><P>client connecting to 10.144.158.7 connected to 192.168.100.20</P><P></P><P>As long as the order of the static table is maintained the firewall will allow it to be configured.</P><P></P><P>My first question would be, how would you have done it? </P><P></P><P>My ultimate question will be, with details to follow if you are interested, why it would periodically fail when applied to a well established VPN L2L tunnel configuration.</P> Mon, 11 Mar 2019 22:08:44 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824213#M489672 charlie.ford 2019-03-11T22:08:44Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824214#M489674 <HTML><HEAD></HEAD><BODY><P>This explaination makes me little bit confused . Can you post me the full config also mentioned where is the source and destination and what results you want to get.</P><P></P><P>Thanks</P><P>Ajay</P></BODY></HTML> Fri, 30 Dec 2011 15:15:29 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824214#M489674 ajay chauhan 2011-12-30T15:15:29Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824215#M489677 <HTML><HEAD></HEAD><BODY><P>The configurations no longer exist but I can recreate them in the lab for you.</P><P></P><P>Trying to find a better way to explain.</P><P></P><P>Customer on outside interface needs to get to 192.168.100.20 and has been doing so for years. They use the static translation 205.144.158.7 to connect to 192.168.100.20.</P><P></P><P>It has become necessary to grant the customer on the outside interface direct access to 192.168.100.20 without translation while still allowing them access through the original static translation.</P><P></P><P>So the customer on the outside interface will be accessing both the new 192.168.100.20 and the old 205.144.158.7 but connecting to the same internal server 192.168.100.20. It works, I have done it but is there a better way?</P><P></P><P><A href="cid:image001.png@01CCC6E1.FC17EF30"></A></P><P>access-list outside line 1 extended permit icmp any host 205.144.158.7 (hitcnt=0) 0xf4592732</P><P>access-list outside line 2 extended permit tcp any host 205.144.158.7 eq www (hitcnt=3) 0xe2670b47</P><P>access-list outside line 3 extended permit tcp any host 205.144.158.7 eq https (hitcnt=1) 0x6b2d9f98</P><P>access-list outside line 4 extended permit icmp any host 192.168.100.20 (hitcnt=0) 0x8ab9d8f4</P><P>access-list outside line 5 extended permit tcp any host 192.168.100.20 eq www (hitcnt=1) 0xc67c07f6</P><P>access-list outside line 6 extended permit tcp any host 192.168.100.20 eq https (hitcnt=1) 0x7675a5b1</P><P></P><P>This passes the packet-tracer</P><P></P><P>Thanks for your response. Lab configuration attached.</P><P></P><P>Charlie</P><P>402-963-8295</P></BODY></HTML> Fri, 30 Dec 2011 16:59:07 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824215#M489677 charlie.ford 2011-12-30T16:59:07Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824216#M489678 <HTML><HEAD></HEAD><BODY><P> In LAB you can route your packets from Public to Private IP but in real world 192.168.x.x is private IP and not routed over internet.</P><P> So only way to connect would be NATTED IP and if you want to access on 192.168.x.x then VPN solution. No other way.</P></BODY></HTML> Fri, 30 Dec 2011 19:15:10 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824216#M489678 ajay chauhan 2011-12-30T19:15:10Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824217#M489679 <HTML><HEAD></HEAD><BODY><P>I apologize for not making myself clear.</P><P></P><P>This is a privet circuit in the lab environment, would it be helpful if I gave you the real addresses? Or can you pretend the Customer network is trusted and routed to the gateway firewall where this configuration exists? No Internet, just customer to customer, like through a VPN tunnel?</P><P></P><P>If I am not making this clear please let me know and I will try again. I really need to solve this problem without using another firewall.</P><P></P><P>Charlie</P><P>402-963-8295</P></BODY></HTML> Fri, 30 Dec 2011 21:48:06 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824217#M489679 charlie.ford 2011-12-30T21:48:06Z https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824218#M489680 <HTML><HEAD></HEAD><BODY><P> Hello Charlie,</P><P></P><P>What Ajay has mentioned is correct, now as you said on the last note :</P><P> No Internet, just customer to customer, like through a VPN tunnel</P><P></P><P>If you only need connectivity between both sides without internet you do not need a routable public ip address, now you are going to use Identity nat and also a static one to one, both are going to work.</P><P></P><P>The ASA wil be able to send the packets that are getting to 205.144.158.7 to the inside host, and also with proxy arp the identity nat statement (192.168.100.20).</P><P></P><P>You already have the ACLs in place, that is all you need as long as Ajay said they do not need to access 192.168.100.20 by the real IP address over the internet (unless you have a VPN established)</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Fri, 30 Dec 2011 22:50:34 GMT https://community.cisco.com/t5/network-security/how-would-you-solve-this-access-issue/m-p/1824218#M489680 Julio Carvajal 2011-12-30T22:50:34Z