cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


3001
Views
0
Helpful
59
Replies
Beginner

NAT ASA 5510

Hi,

I have an ASA 5510 and I can not configure fine.

My problem is that I have 10 public address connected to ASA and each public address is redirectioned to an internal IP address.

An of these public address is the ip address of mi ASA.

I need help for configure and access-list and an NAT, the others I will configure.

interface Ethernet0/0

description Interface_WAN_World-Ttrends

speed 100

duplex full

nameif outside

security-level 0

ip address 84.88.36.3 255.255.254.0

!

interface Ethernet0/1

description Interface_LAN_Ttrends-World

speed 100   

duplex full 

nameif inside

security-level 100

ip address 10.0.0.252 255.255.254.0

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

NAT ASA 5510

Hi Daniel,

The public IPs you've mentioned are in the 84.88 subnet and the public IP of the server is in the 88.84 subnet. It is possible that your Inside Internet Router PSTN is not routing traffic to the 88.84 IPs. Could you test with an IP in the 84.88.36.x subnet and let me know? Try configuring the following:

static (inside,outside) 84.88.36.5 10.0.0.15 netmask 255.255.255.255

no access-list Outside_access_Inside extended permit tcp any host  88.84.36.11 eq http

access-list Outside_access_Inside extended permit tcp any host  84.88.36.5 eq http

Regards,

Anu

Cisco Employee

NAT ASA 5510

Hi Daniel,

Could you add the following?

global (inside) 1 interface

let me know.

regards,

Anu

59 REPLIES 59
Engager

NAT ASA 5510

Hi Daniel,

Your stastic statements should be something like this:

Lets say your public ip is 1.1.1.1

and the private ip is 10.1.1.1

then you would need the static like:

static (inside,outside) 1.1.1.1 10.1.1.1

similarly for the 9 other servers, you would need the static statement.

Here's a doc as well:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope this help

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Engager

NAT ASA 5510

and yes, I left this part, the ACL for the above static example would be:

access-list outside_access_in extended permit ip any host 1.1.1.1

You would need to configure same for 9 other servers, and then apply the ACL's to outside interface.

access-group outside_access_in in interface outside.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

NAT ASA 5510

Thanks for your reply.

Now I going to configure.

Thanks

Beginner

NAT ASA 5510

Hi,

I configured the next commands, but didn't work.

static (inside,outside) 88.84.36.3 10.0.0.252

static (inside,outside) 88.84.36.11 10.0.0.15

access-list Outside_access_Inside extended permit tcp any host 10.0.0.15 eq http

access-group Outside_access_Inside in interface outside

I have the next:

Public IP address are 84.88.36.

1 --> Inside Internet Router PSTN

2 --> Public IP address

3 --> Outside ASA address

4 --> Public IP address

5 --> Public IP address

6 --> Public IP address

7 --> Public IP address

8 --> Public IP address

9 --> Public IP address

Thanks

Engager

NAT ASA 5510

The access-list is wrong, it should be:

access-list Outside_access_Inside extended permit tcp any host  88.84.36.11 eq http

access-group Outside_access_Inside in interface outside

It should work after this.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

NAT ASA 5510

Hi,

I m sorry but didn't work fine. I attach you my config because I think that I have some errors.

name 10.0.0.6 DNS_1

name 10.0.0.73 PCGARZON

name 10.0.0.0 Red_TTrends

name 10.0.0.7 DNS_2 description DNS_2

dns-guard

!

interface Ethernet0/0

description Interface_WAN_World-Ttrends

speed 100

duplex full

nameif outside

security-level 0

ip address 84.88.36.3 255.255.254.0

!

interface Ethernet0/1

description Interface_LAN_Ttrends-World

speed 100   

duplex full

nameif inside

security-level 100

ip address 10.0.0.252 255.255.254.0

!

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list INBOUND extended permit tcp any host PCGARZON

access-list INBOUND extended permit tcp host 84.77.66.235 host 84.88.36.3

access-list INBOUND remark Dejamos pasar todo hacia 10.0.0.73 - TCP

access-list 104 extended permit tcp host Red_TTrends host 10.0.0.252 eq ssh

access-list 104 extended deny tcp any any eq ssh

access-list 104 extended permit tcp host Red_TTrends host 10.0.0.253 eq ssh

access-list 105 extended permit tcp any any eq 3389

access-list 105 extended permit tcp any any eq ftp

access-list Outside_access_Inside extended permit tcp any host 88.84.36.11 eq www

pager lines 24

logging enable

logging buffered informational

logging asdm debugging

logging from-address fwasa@ttrends.es

logging recipient-address dgarzon@ttrends.es level errors

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool VPN_Pool 10.0.0.212-10.0.0.216 mask 255.255.254.0

asdm image disk0:/asdm-508.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.0.0.207 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.0.0.207 ftp netmask 255.255.255.255

static (inside,outside) 88.84.36.3 10.0.0.252 netmask 255.255.255.255

static (inside,outside) 88.84.36.11 10.0.0.15 netmask 255.255.255.255

access-group Outside_access_Inside in interface outside

route outside 0.0.0.0 0.0.0.0 84.88.36.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy TechnoTrends internal

group-policy TechnoTrends attributes

dns-server value 10.0.0.6 10.0.0.7

default-domain value intranet.techno.com

webvpn

http server enable

http Red_TTrends 255.255.254.0 management

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http Red_TTrends 255.255.248.0 inside

no snmp-server location

no snmp-server contact

snmp-server community ttrendsLec

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group TechnoTrends type ipsec-ra

tunnel-group TechnoTrends general-attributes

address-pool (inside) VPN_Pool

address-pool VPN_Pool

default-group-policy TechnoTrends

dhcp-server DNS_1

dhcp-server DNS_2

tunnel-group TechnoTrends ipsec-attributes

pre-shared-key *

tunnel-group-map default-group TechnoTrends

telnet Red_TTrends 255.255.255.0 inside

telnet timeout 25

ssh Red_TTrends 255.255.255.0 inside

ssh timeout 25

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!            

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

Engager

NAT ASA 5510

Can you run this command and provide me the output:

packet-tracer input outside tcp 1.1.1.1 2345 88.84.36.11 80 detailed

kindly provide me the outputs.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

NAT ASA 5510

I'm sorry but mu OS version not support this command

Cisco Adaptive Security Appliance Software Version 7.0(8)

Device Manager Version 5.0(8)

Error:

ttrendsASA# packet-tracer input outside tcp 1.1.1.1 2345 88.84.36.11 80 detail$

packet-tracer input outside tcp 1.1.1.1 2345 88.84.36.11 80 detailed

^

ERROR: % Invalid input detected at '^' marker.

Highlighted
Cisco Employee

NAT ASA 5510

hi Daniel,

i think you should upgarde to something new if it really doesnt matter to you what code you run, just read the release notes before you upgrade so that you understand what is new and different in each code

as far as the issue is concerned, how are you testing this and i see your static nat and your interface ip are in different networks

if that is case make sure that your isp router has a route back or atleast it should not drop proxy arps because i have seen some isp routers/modems dropping proxy arps, if the oruter is manageble you can probably check the arp entries on it to confirm that it is learnig the right mac for right ip

Beginner

NAT ASA 5510

Hi Jitendriya,

All run OK with my other SonicWall firewall. I want to migrate all rules to my new Cisco ASA.

Security is not my predilection :-P

Pleaseeee I need Help!!!

Participant

NAT ASA 5510

static (inside,outside) 88.84.36.3 10.0.0.252 netmask 255.255.255.255

interface Ethernet0/0

description Interface_WAN_World-Ttrends

speed 100

duplex full

nameif outside

security-level 0

ip address 84.88.36.3 255.255.254.0

!

Are you sure that your IP address are correct? You have different subnets ono your outside interface and static NAT, I think its just a typo

Beginner

NAT ASA 5510

Hi,

Yes, I'm sure. It's the IP address.

I don't have any subnet. Only have one net.

Thanks

Cisco Employee

NAT ASA 5510

Hi Daniel,

The public IPs you've mentioned are in the 84.88 subnet and the public IP of the server is in the 88.84 subnet. It is possible that your Inside Internet Router PSTN is not routing traffic to the 88.84 IPs. Could you test with an IP in the 84.88.36.x subnet and let me know? Try configuring the following:

static (inside,outside) 84.88.36.5 10.0.0.15 netmask 255.255.255.255

no access-list Outside_access_Inside extended permit tcp any host  88.84.36.11 eq http

access-list Outside_access_Inside extended permit tcp any host  84.88.36.5 eq http

Regards,

Anu

Beginner

NAT ASA 5510

HI,

I'm sorry, is a mistake. My public ip address is 84.88 and all IPs should be 84.88.

Now I going to reconfigure all.

Thanks.