09-11-2012 08:03 PM - edited 03-11-2019 04:52 PM
I have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm, please see attached config.
thanks
Solved! Go to Solution.
09-12-2012 04:59 AM
You can definitely give this a try:
object network vendor_network
subnet xx.xx.xx.xx
object network network_1
subnet 10.1.1.0 255.255.255.0
object network network_2
subnet 10.88.10.0 255.255.255.0
nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1
nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2
access-list external extended permit ip
access-list external extended permit ip
access-group external in interface outside
This should work.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-11-2012 08:32 PM
Hi Mark,
You are using a very old incompatible version of ASDM, you woudl need to upgrade the ASDM to the latest 6.4.9, and yours is:
asdm image disk0:/asdm-524.bin
There is no configuration in teh file which would give access of your internal network to the outside vendor, what machines does the vendor need to access?? You would need to put a NAT for it.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-12-2012 04:43 AM
Hi Varun,
Vendor need access to servers on 10.1.1.0 & 10.88.10.0 networks, new to firewalls, can you give an example of nat.
thanks
09-12-2012 04:59 AM
You can definitely give this a try:
object network vendor_network
subnet xx.xx.xx.xx
object network network_1
subnet 10.1.1.0 255.255.255.0
object network network_2
subnet 10.88.10.0 255.255.255.0
nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1
nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2
access-list external extended permit ip
access-list external extended permit ip
access-group external in interface outside
This should work.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-12-2012 07:32 AM
Hi varun,
Thank you for the reply, vendor has many networks & I found out that they will be accessing a
single server 10.1.1.6, I have made following changes
!
object-group network vendor_network
network-object 10.160.8.0 255.255.255.0
network-object 10.194.5.0 255.255.255.0
network-object 10.196.8.0 255.255.255.0
network-object 10.216.28.0 255.255.255.0
!
object network network_1
subnet 10.1.1.6 255.255.255.255
!
nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1
!
access-list external extended permit ip
!
Please let me know if changes will work.
thanks
09-12-2012 07:35 AM
Yes, it is the correct configuration that you would need.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-12-2012 07:42 AM
Hi Varun,
thanks again for your help, I will be applying the changes tomorrow & let you know.
regards
09-12-2012 08:44 AM
Hi Varun,
do I have to remove following:
nat (inside,outside) source dynamic Inside_Internal interface
thnks
09-12-2012 08:46 AM
Hi Mark,
No you need not remove it, thats for internal users to access outside resources.
Thanks,
Varun Rao
Security Team,
Cisco TAC
09-12-2012 10:18 AM
Hi Varun,
I started ASDM, it gave me an error message to downgrade to 8.2 as not enough RAM. I downgraded & nat statements are gone, I tried to add but it doesn't give me the options, what will be the config for 8.2(5) ?
thanks
09-13-2012 03:57 AM
Hi Varun,
please send nat for 8.2.5.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide