topic Help me in Natting in Network Security

Help me in Natting

pawanharlecisco — Mon, 11 Mar 2019 20:58:27 GMT

Hi ,

Please see the daigram attached .

I have Internet leased line which is connected to "Outside "Interface of ASA 5510.I address are mentioned in Daigram.

I have Few Public IP address given by ISP. I want to do static NAT in ASA for accessing my server from Internet, i am fresher in configuring ASA ,please guide me .I have also want 192.168.5.10; 192.168.5.11; 192.168.5.12; 192.168.5.13 this IP ca use Internet also, for OS updates

Public ip 2.2.2.5 mapped to 192.168.5.10

Public ip 2.2.2.6 mapped to 192.168.5.11

Public ip 2.2.2.7 mapped to 192.168.5.12

Public ip 2.2.2.8 mapped to 192.168.5.13

Please guide me.

Help me in Natting

varrao — Wed, 13 Jul 2011 10:45:06 GMT

Hi Pawan,

Here is the config that you would need:

static (inside,outside) 2.2.2.5 192.168.5.10

exactly the same needs to be done for teh othere servers as well.

Let me know if you have any queries.

Thanks,

Varun

Help me in Natting

varrao — Wed, 13 Jul 2011 10:50:15 GMT

Here is configuration guide for NAT on ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Varun

Help me in Natting

pawanharlecisco — Wed, 13 Jul 2011 11:09:45 GMT

Thanks Varun for the post,

I have configured as u said for all IP address, but whenever i'll try to ping 2.2.2.5 its not ping from internet.please suggets, please give me sample config for my senario for one ip IP 2.2.2.5 only, i will manage other, please help me ...

Please help me

Help me in Natting

varrao — Wed, 13 Jul 2011 11:21:23 GMT

Hi Pawan,

Ok lets take the case of ping on the firewall for ip 2.2.2.5:

you would need an access-list on the outside interface,

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

and the nat command:

static (inside,outside) 2.2.2.5 192.168.5.10

first make sure you are able to ping the ip 192.168.5.10 from the firewall, by doing "ping inside 192.168.5.10" and then test it.

Thanks,

Varun

Help me in Natting

pawanharlecisco — Wed, 13 Jul 2011 12:08:08 GMT

Dear Varun Sir Thanks for the support,

I have configured as u suggested. Now i am able to ping 2.2.2.5; 2.2.2.6; 2.2.2.7. but not able to access this Ip, i want to permit all services from Public side.Below is sh run for the ASA.

Please kindly help me

-------------------------------------------------------------------------------

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 192.168.5.10

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:b3e81ffd949d793e351873ae46369086

: end

Help me in Natting

varrao — Wed, 13 Jul 2011 12:40:05 GMT

Hi Pawan,

Just add the acl's:

access-list outside_access_in permit ip any host 2.2.25

do it simialrly for other servers as well, and it would work after that.

Thanks,

Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 06:11:00 GMT

Dear Varun Sir,

i have applied this acl "access-list outside_access_in permit ip any host 2.2.2.5" for all ip address but stil its not done. I m not able to access Internel servers. Please suggest.

Thanks

Pawan

Help me in Natting

varrao — Thu, 14 Jul 2011 06:22:53 GMT

Hi Pawan,

Please provide me the running config from the ASA after adding all the changes that I had suggested you, it shoudl work, I'll have a look at it and let you know.

Thanks,

Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 06:33:08 GMT

Thanks Sir,

Actually i have done a mistake while appling acces-list. After corecting it, now m able to access the servers from outside. Thanks Sir for the your support.below is sh run of asa .

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 2.2.2.5

access-list outside_access_in extended permit ip any host 2.2.2.6

access-list outside_access_in extended permit ip any host 2.2.2.7

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.3 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.4 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:d791dcca076fc2bbf6662f149c8377bd

: end

ASA#

Regards

Pawan

Help me in Natting

varrao — Thu, 14 Jul 2011 06:35:32 GMT

Hey thats good..... Let me know if you afce any other issues.

-Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 06:55:43 GMT

Sure sir.

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 07:05:35 GMT

Varun Sir,

In the same topoploy , i have now pluged one bsnl modem in the interface e0,to give internet access to 192.168.5.0 network. for this i have configured below configuration but m not able to access internet using bsnl modem. but from 2.2.2.0 network m able to access the server as we configured recently. kindly suggets me.how can it be possile.

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

global (bsnl) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 2

........

pawan

Help me in Natting

varrao — Thu, 14 Jul 2011 07:10:16 GMT

Can you paste the running config again??? and can you tell me what changes you've done??? You have removed the 2.2.2.1 router and are now uising a bsnl modem instead???

Thanks,

Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 07:19:54 GMT

Sir,

No i have not removed 2.2.2.1 router. I have pluged bsnl in E0 inteface.below is sh run, after making changes.

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

nameif bsnl

security-level 0

ip address 192.168.100.200 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 2.2.2.5

access-list outside_access_in extended permit ip any host 2.2.2.6

access-list outside_access_in extended permit ip any host 2.2.2.7

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

pager lines 24

mtu inside 1500

mtu outside 1500

mtu bsnl 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (bsnl) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.3 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.4 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

route outside 0.0.0.0 0.0.0.0 192.168.100.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:d791dcca076fc2bbf6662f149c8377bd

: end

Help me in Natting

varrao — Thu, 14 Jul 2011 07:35:55 GMT

Hi Pawan,

We cannot have two default routes on the ASA, the packet would always take the route defined by lower mettric which is:

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

I am not sure why you are implementing such a thing, you have two interfaces configured through which the same internal network would access internet, so that would get complicated.

If you are just testing the bsnl modem link, remove the first route and then add:

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

and moreover on interface e0, you have a private IP address, and we woudl need a public IP like 2.2.2.2 to access the internet.

Also these access-list are not needed:

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

Let me know if this works.

Thanks,

Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 10:10:14 GMT

Sir,

i want use bsnl as my default route. and give static route for servers because there are only some specific ip add which will acess the server thats y no need give default route towards 2.2.2.1.

Now my purpose the that,

1: the network 192.168.5.0 will use internet using bsnl line

2:and is some specific ip add want to access the server then they have to use 2.2.2.0 newtork which we was statically natted earlier.

Help me in Natting

varrao — Thu, 14 Jul 2011 11:06:51 GMT

Hi Pawan,

as per your requirement here is the config that you can try:

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-list 101 permit ip any host 2.2.2.5

access-list 101 permit ip any host 2.2.2.6

access-list 101 permit ip any host 2.2.2.7

nat (outside) 10 access-list 101 outside

global (inside) 10 interface

The above configuration would allow only traffic from your 2.2.2.1 router for you internal servers.

the routes should be:

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

nat (inside) 1 0.0.0.0 0.0.0.0

global (bsnl) 1 interface.

Try it and let me know if it works.

Thanks,

Varun

Help me in Natting

pawanharlecisco — Thu, 14 Jul 2011 16:08:29 GMT

thank you sir,it done sucessfully .

please c below config. If still need any change tell me.From below config if there is any useless command i configured,please guide me so that i can remove it.

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.100.200 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

interface Ethernet2

nameif rbi

security-level 0

ip address 2.2.2.2 255.255.255.0

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit ip any host 2.2.2.5

access-list 101 extended permit ip any host 2.2.2.6

access-list 101 extended permit ip any host 2.2.2.7

access-list outside-in extended permit icmp any any

access-list outside-in extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu rbi 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list 101 outside

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,rbi) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,rbi) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,rbi) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-group outside-in in interface outside

access-group 101 in interface rbi

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

pixfirewall#

Re: Help me in Natting

varrao — Thu, 14 Jul 2011 17:55:52 GMT

Hi Pawan,

Everything looks good to me except these lines below, intsead of them you need to add these:

global (outside) 1 interfaceglobal (inside) 10 interface
nat (rbi) 10 access-list 101 outside
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route rbi 0.0.0.0 0.0.0.0 2.2.2.1 100

and remove this statement:

access-group 101 in interface rbi

we don't need it, the access-list 101 was created just to be used in the nat statement.

interface Ethernet2

nameif rbi

security-level 0

ip address 2.2.2.2 255.255.255.0

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list 101 outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 101 in interface rbi

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

Hope this works,

Thanks,

Varun