cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2388
Views
0
Helpful
10
Replies

ASA 5505 nat

marktaylor47
Level 1
Level 1

I have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm, please see attached config.

thanks

1 Accepted Solution

Accepted Solutions

You can definitely give this a try:

object network vendor_network

subnet xx.xx.xx.xx

object network network_1

  subnet 10.1.1.0 255.255.255.0

object network network_2

  subnet 10.88.10.0 255.255.255.0

nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1

nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2

access-list external extended permit ip 10.1.1.0 255.255.255.0

access-list external extended permit ip 10.88.10.0 255.255.255.0

access-group external in interface outside

This should work.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

10 Replies 10

varrao
Level 10
Level 10

Hi Mark,

You are using a very old incompatible version of ASDM, you woudl need to upgrade the ASDM to the latest 6.4.9, and yours is:

asdm image disk0:/asdm-524.bin

There is no configuration in teh file which would give access of your internal network to the outside vendor, what machines does the vendor need to access?? You would need to put a NAT for it.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

Vendor need access to  servers on 10.1.1.0 & 10.88.10.0 networks, new to firewalls, can you give an example of nat.

thanks

You can definitely give this a try:

object network vendor_network

subnet xx.xx.xx.xx

object network network_1

  subnet 10.1.1.0 255.255.255.0

object network network_2

  subnet 10.88.10.0 255.255.255.0

nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1

nat (outside,inside) source static vendor_network vendor_network destination static network_2 network_2

access-list external extended permit ip 10.1.1.0 255.255.255.0

access-list external extended permit ip 10.88.10.0 255.255.255.0

access-group external in interface outside

This should work.

Thanks,

Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi varun,

Thank you for the reply, vendor has many networks & I found out that they will be accessing a
single server 10.1.1.6, I have made following changes

!
object-group network vendor_network
network-object 10.160.8.0 255.255.255.0
network-object 10.194.5.0 255.255.255.0
network-object 10.196.8.0 255.255.255.0
network-object 10.216.28.0 255.255.255.0
!
object network network_1
  subnet 10.1.1.6 255.255.255.255
!
nat (outside,inside) source static vendor_network vendor_network destination static network_1 network_1
!
access-list external extended permit ip host 10.1.1.6 - entry for each vendor network
!

Please let me know if changes will work.

thanks

Yes, it is the correct configuration that you would need.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

thanks again for your help, I will be applying the changes tomorrow & let you know.

regards

Hi Varun,

do I have to remove following:

nat (inside,outside) source dynamic Inside_Internal interface

thnks

Hi Mark,

No you need not remove it, thats for internal users to access outside resources.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

I started ASDM, it gave me an error message to downgrade to 8.2 as not enough RAM. I downgraded & nat statements are gone, I tried to add but it doesn't give me the options, what will be the config for 8.2(5) ?

thanks

Hi Varun,

please send nat for 8.2.5.

thanks

Review Cisco Networking for a $25 gift card