Solved: ASA 5505 Access from inside to outside and outside to inside

haidar_alm · ‎11-23-2015

Hi guys,

I'm trying to start with a basic setup configuration on a 5505 FW version 8.3(1) where I would like for resources to be access from inside to outside, and from outside to inside.

In this example i have 2 laptops sat on each interface and I would like to be able to ping, IIS from one to the other and vice versa.

I can access (Ping + IIS) remote laptop from inside to outside. However, I cannot access from outside to inside.

I've tried adding a rule allowing traffic from outside to in. I've also changed the security levels to match. Unfortunatley that didn't work.

Do I have to look at the NAT to get this working?

Your input is much appreciated.

Config file attached

Image is attached:

Shivapramod M · ‎11-23-2015

Hi Haider,

Please configure a static NAT to access this device which is inside your network.

object network obj-10.1.1.6
host <Real IP>
nat (inside,outside) static <mapped IP>

Since you have allowed all the traffic from out to in we do not need any seperate access list to permit the traffic.

Thanks,

Shivapramod M

P.S. Please rate helpful posts.

View solution in original post

Shivapramod M · ‎11-23-2015

Hi Haider,

Please configure a static NAT to access this device which is inside your network.

object network obj-10.1.1.6
host <Real IP>
nat (inside,outside) static <mapped IP>

Since you have allowed all the traffic from out to in we do not need any seperate access list to permit the traffic.

Thanks,

Shivapramod M

P.S. Please rate helpful posts.

haidar_alm · ‎11-24-2015

Hi Shivapramod,

Many thanks for the helpful reply. This has worked..

What if I have many servers on both ends and I would like for users from the outside to access servers on the inside and users from the inside to access servers from the outside?

haidar_alm · ‎11-26-2015

Hi Shiva,

Would you be able to answer my second question please rather than me opening a new post if you don't mind?

This is my NAT statement on the ASA:

object network obj-Outside-IP
host x.x.200.110

object network obj-Outside-IP
nat (inside,outside) static x.x.200.155

What I'm trying to achieve this time is rather than having one laptop connect to a single laptop is to have many resources on the inside access resources on the outside, and vise versa..

Just need confirmation before I plug this one in.

Many thanks,

Shivapramod M · ‎11-26-2015

Hi Haider,

In the current configuration we are having a one to one NAT. Here one inside IP is mapped to one public IP. Any outside user can access this IP from outside if it is permitted via ACL.

If you have multiple servers inside your netwrok then either we can create multple NAT like above with different map IP or we can create multiple static nat with the same IP using the different port translation. This depends on your requirement, if you do not want the communication via a specifc port then you can create multiple static NAT entries.

Please refer

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

sample configuration:
object network obj-10.1.1.16
host <real IP>
nat (inside,outside) static 192.168.100.100 service tcp <real port> <mapped port>

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts