Solved: ASA 5505 nat

marktaylor47 · ‎09-11-2012

I have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm, please see attached config.

thanks

varrao · ‎09-12-2012

You can definitely give this a try:

object network vendor_network

subnet xx.xx.xx.xx

object network network_1

subnet 10.1.1.0 255.255.255.0

object network network_2

subnet 10.88.10.0 255.255.255.0

nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1

nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2

access-list external extended permit ip 10.1.1.0 255.255.255.0

access-list external extended permit ip 10.88.10.0 255.255.255.0

access-group external in interface outside

This should work.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-11-2012

Hi Mark,

You are using a very old incompatible version of ASDM, you woudl need to upgrade the ASDM to the latest 6.4.9, and yours is:

asdm image disk0:/asdm-524.bin

There is no configuration in teh file which would give access of your internal network to the outside vendor, what machines does the vendor need to access?? You would need to put a NAT for it.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

marktaylor47 · ‎09-12-2012

Hi Varun,

Vendor need access to servers on 10.1.1.0 & 10.88.10.0 networks, new to firewalls, can you give an example of nat.

thanks

varrao · ‎09-12-2012

You can definitely give this a try:

object network vendor_network

subnet xx.xx.xx.xx

object network network_1

subnet 10.1.1.0 255.255.255.0

object network network_2

subnet 10.88.10.0 255.255.255.0

nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1

nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2

access-list external extended permit ip 10.1.1.0 255.255.255.0

access-list external extended permit ip 10.88.10.0 255.255.255.0

access-group external in interface outside

This should work.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

marktaylor47 · ‎09-12-2012

Hi varun,

Thank you for the reply, vendor has many networks & I found out that they will be accessing a
single server 10.1.1.6, I have made following changes

!
object-group network vendor_network
network-object 10.160.8.0 255.255.255.0
network-object 10.194.5.0 255.255.255.0
network-object 10.196.8.0 255.255.255.0
network-object 10.216.28.0 255.255.255.0
!
object network network_1
subnet 10.1.1.6 255.255.255.255
!
nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1
!
access-list external extended permit ip host 10.1.1.6 - entry for each vendor network
!

Please let me know if changes will work.

thanks

varrao · ‎09-12-2012

Yes, it is the correct configuration that you would need.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

marktaylor47 · ‎09-12-2012

Hi Varun,

thanks again for your help, I will be applying the changes tomorrow & let you know.

regards

marktaylor47 · ‎09-12-2012

Hi Varun,

do I have to remove following:

nat (inside,outside) source dynamic Inside_Internal interface

thnks

varrao · ‎09-12-2012

Hi Mark,

No you need not remove it, thats for internal users to access outside resources.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

marktaylor47 · ‎09-12-2012

Hi Varun,

I started ASDM, it gave me an error message to downgrade to 8.2 as not enough RAM. I downgraded & nat statements are gone, I tried to add but it doesn't give me the options, what will be the config for 8.2(5) ?

thanks

marktaylor47 · ‎09-13-2012

Hi Varun,

please send nat for 8.2.5.

thanks