11-23-2015 06:43 AM - edited 03-11-2019 11:56 PM
Hi guys,
I'm trying to start with a basic setup configuration on a 5505 FW version 8.3(1) where I would like for resources to be access from inside to outside, and from outside to inside.
In this example i have 2 laptops sat on each interface and I would like to be able to ping, IIS from one to the other and vice versa.
I can access (Ping + IIS) remote laptop from inside to outside. However, I cannot access from outside to inside.
I've tried adding a rule allowing traffic from outside to in. I've also changed the security levels to match. Unfortunatley that didn't work.
Do I have to look at the NAT to get this working?
Your input is much appreciated.
Config file attached
Image is attached:
Solved! Go to Solution.
11-23-2015 07:27 AM
Hi Haider,
Please configure a static NAT to access this device which is inside your network.
object network obj-10.1.1.6
host <Real IP>
nat (inside,outside) static <mapped IP>
Since you have allowed all the traffic from out to in we do not need any seperate access list to permit the traffic.
Thanks,
Shivapramod M
P.S. Please rate helpful posts.
11-23-2015 07:27 AM
Hi Haider,
Please configure a static NAT to access this device which is inside your network.
object network obj-10.1.1.6
host <Real IP>
nat (inside,outside) static <mapped IP>
Since you have allowed all the traffic from out to in we do not need any seperate access list to permit the traffic.
Thanks,
Shivapramod M
P.S. Please rate helpful posts.
11-24-2015 12:57 AM
Hi Shivapramod,
Many thanks for the helpful reply. This has worked..
What if I have many servers on both ends and I would like for users from the outside to access servers on the inside and users from the inside to access servers from the outside?
11-26-2015 03:31 AM
Hi Shiva,
Would you be able to answer my second question please rather than me opening a new post if you don't mind?
This is my NAT statement on the ASA:
object network obj-Outside-IP
host x.x.200.110
object network obj-Outside-IP
nat (inside,outside) static x.x.200.155
What I'm trying to achieve this time is rather than having one laptop connect to a single laptop is to have many resources on the inside access resources on the outside, and vise versa..
Just need confirmation before I plug this one in.
Many thanks,
11-26-2015 05:15 PM
Hi Haider,
In the current configuration we are having a one to one NAT. Here one inside IP is mapped to one public IP. Any outside user can access this IP from outside if it is permitted via ACL.
If you have multiple servers inside your netwrok then either we can create multple NAT like above with different map IP or we can create multiple static nat with the same IP using the different port translation. This depends on your requirement, if you do not want the communication via a specifc port then you can create multiple static NAT entries.
Please refer
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html
sample configuration:
object network obj-10.1.1.16
host <real IP>
nat (inside,outside) static 192.168.100.100 service tcp <real port> <mapped port>
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide