https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126380#M893879 <HTML><HEAD></HEAD><BODY><P>This doesn't appear to be working. Can you create a show running-config that I can build from? </P></BODY></HTML> Fri, 07 Nov 2008 17:26:49 GMT John.OuYang 2008-11-07T17:26:49Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126378#M893875 <P>I need a working sample config based on these simple details:</P><P></P><P>Outside 172.16.1.2 255.255.255.0 level 0</P><P>Inside 192.168.0.3 255.255.255.0 level 100</P><P>DMZ 192.168.154.1 255.255.255.0 level 50</P><P></P><P>Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https</P><P>Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https</P><P></P><P>1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.</P><P>2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.</P><P></P><P>3.I would like to be able to browse the internet from the DMZ and inside.</P><P></P><P>I will rate high on any working configurations. I will rate each unique example using varied Nat types.</P><P></P><P></P> Mon, 11 Mar 2019 14:09:32 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126378#M893875 John.OuYang 2019-03-11T14:09:32Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126379#M893877 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255</P><P>static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255</P><P></P><P>static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255</P><P>static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255</P><P></P><P>1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 </P><P></P><P>You don't need an acl because it is going from inside to DMZ</P><P></P><P>2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80</P><P></P><P>This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.</P><P></P><P>3) nat (inside) 1 192.168.0.0 255.255.255.0</P><P> nat (dmz) 1 192.168.154.0 255.255.255.0 </P><P> global (outside) 1 interface </P><P> </P><P> Again you don't need acl because you are going from higher to lower security level interfaces.</P><P></P><P>Jon</P></BODY></HTML> Thu, 06 Nov 2008 21:55:07 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126379#M893877 Jon Marshall 2008-11-06T21:55:07Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126380#M893879 <HTML><HEAD></HEAD><BODY><P>This doesn't appear to be working. Can you create a show running-config that I can build from? </P></BODY></HTML> Fri, 07 Nov 2008 17:26:49 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126380#M893879 John.OuYang 2008-11-07T17:26:49Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126381#M893881 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>Could you be a bit more specific - which bits work and which don't. If none of it works then can you check basics such as both interfaces are up etc.</P><P></P><P>Jon</P></BODY></HTML> Fri, 07 Nov 2008 17:34:19 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126381#M893881 Jon Marshall 2008-11-07T17:34:19Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126382#M893884 <HTML><HEAD></HEAD><BODY><P>I am unable to pass any traffic to the DMZ from the inside. I can't pass any traffic from the DMZ to the inside...on specific ports and open to any. All interfaces are up.</P><P>I cl xlate </P><P>I wonder if the default from a higher security to a lower security rules are working. </P><P>All I can do is browse the internet. </P><P></P><P>I guess I could try another asa 5510.</P><P>I do appreciate the help.</P><P></P><P></P></BODY></HTML> Fri, 07 Nov 2008 19:54:17 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126382#M893884 John.OuYang 2008-11-07T19:54:17Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126383#M893888 <HTML><HEAD></HEAD><BODY><P>Hello John,</P><P> Please post your running config and let us advise on config</P><P></P><P>Regards</P></BODY></HTML> Fri, 07 Nov 2008 20:11:54 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126383#M893888 Alan Huseyin Kayahan 2008-11-07T20:11:54Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126384#M893890 <HTML><HEAD></HEAD><BODY><P>Here is a copy of the running config on the asa5510. I built it based on the information Jon provided. No traffic is passing. I expected to be able to RDP or reach the c drive of server in the dmz from an inside PC.</P><P></P><P>John</P><P></P><P> </P><P></P></BODY></HTML> Mon, 10 Nov 2008 21:13:20 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126384#M893890 John.OuYang 2008-11-10T21:13:20Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126385#M893893 <HTML><HEAD></HEAD><BODY><P>I've started over several times. I seem to be getting back to the same place...</P><P>Can browse internet from DMZ or Inside PC's </P><P>I just can't seem to pass any traffic between them.</P><P></P><P>I even put all interfaces in one pool to allow access to allow dynamic translation to the dmz and outside...translation from the dmz to inside and outside interface pools.</P><P></P><P>What am I missing?</P><P></P><P></P></BODY></HTML> Wed, 12 Nov 2008 20:45:18 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126385#M893893 risenshine4th 2008-11-12T20:45:18Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126386#M893894 <HTML><HEAD></HEAD><BODY><P>You have an acl:</P><P></P><P>access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 </P><P></P><P>But you're not allowing traffic back in:</P><P></P><P>permit ip 192.168.0.0 255.255.255.0 any</P><P></P><P>If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all. </P><P></P><P>HTH</P><P></P><P>--John</P></BODY></HTML> Wed, 12 Nov 2008 22:11:21 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126386#M893894 John Blakley 2008-11-12T22:11:21Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126387#M893895 <HTML><HEAD></HEAD><BODY><P>Exactly what I was missing.</P><P>It shows this rule in the ASDM Rules but this ACL is clearly missing from the ACL Manager.</P><P></P><P>Kind of odd. I thought that ACE's and that defined access rules were the same thing for Dmz incoming rules. So it must be a wired error for one to exist without the other.</P><P></P><P>John</P></BODY></HTML> Fri, 14 Nov 2008 20:47:05 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126387#M893895 John.OuYang 2008-11-14T20:47:05Z https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126388#M893896 <HTML><HEAD></HEAD><BODY><P>Thank you for letting me know, and the rating! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>--John</P><P></P></BODY></HTML> Fri, 14 Nov 2008 21:04:39 GMT https://community.cisco.com/t5/network-security/need-basic-nat-config-example/m-p/1126388#M893896 John Blakley 2008-11-14T21:04:39Z