10-14-2013 09:08 AM - edited 03-11-2019 07:52 PM
The above is a drawing of the network. I want a PC on 10.50.1.0 to access the webserver at 10.10.10.70. The PC and webserver are on default vlans of their switches.
I believe I need a static NAT of some sort but all i've tried doesnt work.
Here's config:
interface Ethernet0/0
nameif outside
security-level 0
ip address EDIT
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.50.1.1 255.255.255.0
!
interface Ethernet0/2
nameif S2
security-level 100
ip address 10.10.1.99 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.50.0.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm debugging
logging mail warnings
logging class auth mail debugging
mtu outside 1500
mtu inside 1500
mtu S2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 EDIT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.50.0.0 255.255.255.0 management
http 10.50.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 10
management-access inside
dhcpd dns EDIT
!
dhcpd address 10.50.1.50-10.50.1.250 inside
dhcpd enable inside
!
dhcpd address 10.50.0.2-10.50.0.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password HEU0LnYme.ESFRyI encrypted privilege 15
prompt hostname context
Cryptochecksum:c3f0d8a8f3f62e32c6fc86b4736d8a18
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
Solved! Go to Solution.
10-14-2013 11:02 AM
Hi,
The IP address 10.10.1.99 is from a different network than IP address 10.10.10.70
The interface IP address could be 10.10.10.99 then the server and ASA interface would be from same network.
No connection wont work naturally if your interface is from different than the actual server.
In addition to the IP address change in the interface you would need to change these in the above configuration
no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255
static (S2,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
You will naturally also have to make sure that the default gateway of the server is the IP address that is configured in the ASA "S2" interface.
And then try the connection to the server 10.10.10.70
- Jouni
10-14-2013 11:44 AM
Hi Bee Yang,
Please do this change shown below.
no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255
static (inside,S2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
Please let me know, if this helps.
Thanks
Rizwan Rafeek.
10-14-2013 10:38 AM
Hi,
Where is the network 10.10.10.0/24 located from the perspective of the ASA?
There is no mention of network 10.10.10.0/24 there. The "S2" interface is 10.10.1.0/24 network and there is no static route for the network 10.10.10.0/24
- Jouni
10-14-2013 10:54 AM
The 10.10.10.0 network is connected as diagramed, the interface IP of 10.10.1.99 is what I gave the interface. That is another point of confusion is - what IP address do I give the interface?
10-14-2013 11:02 AM
Hi,
The IP address 10.10.1.99 is from a different network than IP address 10.10.10.70
The interface IP address could be 10.10.10.99 then the server and ASA interface would be from same network.
No connection wont work naturally if your interface is from different than the actual server.
In addition to the IP address change in the interface you would need to change these in the above configuration
no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255
static (S2,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
You will naturally also have to make sure that the default gateway of the server is the IP address that is configured in the ASA "S2" interface.
And then try the connection to the server 10.10.10.70
- Jouni
10-15-2013 04:51 AM
yes, i needed the correct interface ip thanks!
10-14-2013 11:44 AM
Hi Bee Yang,
Please do this change shown below.
no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255
static (inside,S2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
Please let me know, if this helps.
Thanks
Rizwan Rafeek.
10-15-2013 04:51 AM
wow, that works now! with last statement
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide