topic Re: Cisco ASA CLI in Network Security

Cisco ASA CLI

r.arzouni — Mon, 11 Mar 2019 19:39:43 GMT

Hi There,

Can you please help, I have servers sitting on the internal LAN inside 1( 192.168.76.0 /24 ) I would like all the hosts on this network to browse the internet by using the external address of the firewall (outside), I need to do a NAT to hide the private IPs and an Access rule ..Can you please help with the commands ?

When I try to Nat I get error overlaps with outside interface address !!

Many Thanks

Rabih

Re: Cisco ASA CLI

mirober2 — Tue, 25 Jan 2011 14:06:38 GMT

Hi Rabih,

What version of ASA code are you running? It would help if you could post a sanitized copy of your current NAT configuration.

In general, this is what the syntax will look like on 8.0 or 8.2:

nat (inside) 1 192.168.76.0 255.255.255.0
global (outside) 1 interface

This is the syntax for 8.3:

object network obj-192.168.76.0

subnet 192.168.76.0 255.255.255.0

nat (inside,outside) dynamic interface

Hope that helps.

-Mike

Re: Cisco ASA CLI

andamani — Tue, 25 Jan 2011 14:13:07 GMT

hi,

try the following:

nat(inside) 1 192.168.76.0 255.255.255.0

global(outside) 1 interface.

please post the output of commands "sh run nat" and "sh run global".

Regards,

Anisha

Re: Cisco ASA CLI

r.arzouni — Tue, 25 Jan 2011 16:29:30 GMT

sh run nat posted as requested:

ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 1 192.168.76.0 255.255.255.0
ciscoasanode1newbury(config)# sh run global
global (outside) 101 interface
ciscoasanode1newbury(config)#

I tried your command and this is what I get:

ciscoasanode1newbury(config)# global (outside) 1 interface
global for this range already exists
ciscoasanode1newbury(config)#

not sure what I am doing wrong

Many Thanks

Re: Cisco ASA CLI

mirober2 — Tue, 25 Jan 2011 16:31:39 GMT

Hi Rabih,

In that case, you'll need to change your NAT statement. Just use this instead:

no nat (inside1SYHA) 1 192.168.76.0 255.255.255.0

nat (inside1SYHA) 101 192.168.76.0 255.255.255.0

-Mike

Re: Cisco ASA CLI

r.arzouni — Tue, 25 Jan 2011 17:02:36 GMT

Hi Mike / All thanks for that,

I did add the nat rule as he said :

ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 101 192.168.76.0 255.255.255.0

I can ping the firewall but still can not browse the internet do I need to add a rule or something ?

Many Thanks

Rabih

Re: Cisco ASA CLI

mirober2 — Tue, 25 Jan 2011 17:04:51 GMT

Hi Rabih,

That depends on what the rest of the configuration looks like. Try checking your rules with the packet-tracer to make sure everything looks correct:

packet-tracer in inside1SYHA udp 192.168.76.10 12345 4.2.2.2 53

packet-tracer in inside1SYHA tcp 192.168.76.10 12345 4.2.2.2 80

-Mike

Re: Cisco ASA CLI

r.arzouni — Tue, 25 Jan 2011 17:18:54 GMT

Hi Mike

Outcome of the packet trace:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside1SYHA
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

2nd trace:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Cant you please help ?

Thanks

Rabih

Re: Cisco ASA CLI

mirober2 — Tue, 25 Jan 2011 17:22:21 GMT

Hi Rabih,

What are the security levels of the inside1SYHA and outside interfaces?

You can permit traffic via an ACL like this:

access-list inside1SYHA_access_in permit ip any any

access-group inside1SYHA_access_in in interface inside1SYHA

That would allow all outbound IP traffic to go through the inside1SYHA interface. You can make that more restrictive if you'd like.

If that still doesn't work, please post a sanitized copy of your config.

-Mike