12-15-2009 09:39 AM - edited 03-11-2019 09:48 AM
Hi friends,
I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).
Inside ------------------------> ASA 5510 -----------------> 1800 router ------> outside
192.168.10.0/24 .254 10.1.1.253/30 .254/30 218.X.X.177
Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.
then i want to allow FTP, Telnet, Remote desktop, http, https also.
static (inside, outside) tcp 218.X.X.180 192.168.10.200 netmask 255.255.255.255
i want to access 192.168.10.200, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.
Router config
interface FastEthernet0/0
ip address 218.X.X.177 255.255.255.240
ip access-group 102 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.252
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.X.X.178
ip route 192.168.10.0 255.255.255.0 10.1.1.253
!
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask 255.255.255.240
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.0.0 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip host 127.0.0.0 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.0.2.0 0.0.0.255 any
access-list 102 deny ip 204.152.64.0 0.0.0.1 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny icmp any any
access-list 102 deny tcp any any eq ident
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 447
access-list 102 deny tcp any any eq 81
access-list 102 deny tcp any any eq 135
access-list 102 deny tcp any any eq 444
access-list 102 deny tcp any any eq 445
access-list 102 permit ip any any
ASA Config
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.1.1.253 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
ftp mode passive
access-list BROWSING extended permit ip 192.168.10.0 255.255.255.0 any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group INTERNET in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.254 1
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
12-15-2009 10:31 AM
On the ASA do the following:
1. add nat exemption with an ACL. Deny this one host 192.168.10.200 going any where and permit the rest in the acl.
2. remove the identity static line
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
and
3. add this static line static (inside, outside) 218.X.X.180 192.168.10.200 netmask 255.255.255.255 or as static pat
static (inside, outside) tcp 218.X.X.180 21 192.168.10.200 21 netmask 255.255.255.255
static (inside, outside) tcp 218.X.X.180 23 192.168.10.200 23 netmask 255.255.255.255
static (inside, outside) tcp 218.X.X.180 3389 192.168.10.200 3389 netmask 255.255.255.255
static (inside, outside) tcp 218.X.X.180 443 192.168.10.200 443 netmask 255.255.255.255
4. On the router remove 218.X.X.180 from the pool.
Honestly I would either move all the translation onto the ASA or leave it on the Router. You are trying to leave dynamic NAT on the router and move the static NAT onto the ASA.
-KS
12-15-2009 10:42 AM
thanks for your reply,
I already tried to remove the 218.X.X.180 pool from the router, then the internet connection is not reach to my ASA.
then I tried the following command in the router.
ip nat inside 192.168.10.0 255.255.255.0
ip global outside interface.
This command also not working in the router (not able to connect the internet).
12-15-2009 11:11 AM
Saravanan,
Pls. let us know once you complete all the steps that I listed.
You need to overload it to the outside interface IP address if that is the only address in the pool
ip nat inside source list 101 interface FastEthernet0/0 overload
Once done, get the output of "sh xlate debug | i 192.168.1.200 and make sure the ASA is translating the address properly.
-KS
01-02-2010 10:00 AM
hi frnds,
I already tried the below configuration, but it's not working.
Router config:
i removed the pool, then put fastethernet with overload
ip nat inside source list 101 interface fastethernet 0/1 overload
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
Then in ASA 5510 side
I create static NAT,
static(inside,outside) 218.X.X.181 tcp 21 192.168.10.111 tcp 21 netmask 255.255.255.255
static(inside,outside) 218.X.X.181 tcp 23 192.168.10.111 tcp 23 netmask 255.255.255.255
static(inside,outside) 218.X.X.181 tcp http 192.168.10.111 tcp http netmask 255.255.255.255
static(inside,outside) 218.X.X.181 tcp https 192.168.10.111 tcp https netmask 255.255.255.255
static(inside,outside) 218.X.X.182 192.168.10.112 netmask 255.255.255.255
even though i can't able to connect from outside.
pls help me ya.
01-03-2010 09:48 AM
Hi ,
I saw so many ACLs in the 1800 routers, it seems performing the firewall function. and also you have asa. I am thinking is the architecture appropriate ?
Regards,
Yang
12-15-2009 11:20 PM
Hi Buddy,
Please take care your routing information.
THX
Keisikka
01-03-2010 03:54 AM
hi frnds,
tell the right solution, i want to enable the particular outside ip to permit in my router, is it ok or not
01-03-2010 03:53 PM
Saravanan,
If I remember right you were going to remove the IP from the pool on the router and use the interface to PAT and do static translation on the ASA.
You need to verify the following.
1. static pat tranlation is working on the ASA. "sh xlate debug | i 192.168.10.200"
2. The router will send packets to the ASA for this particular IP address.
3. Collect captures on the ASA to see if packets are arriving.
4. check the logs on the ASA to see what they may be revealing.
5. most of all the acl applied on the outside interface of the ASA is allowing this traffic.
Pls. remember to verify the following for all flows through the firewall.
Route
Translation
Permission
-KS
01-03-2010 04:33 PM
How do you expect the ASA to do statics for the outside IP's when they exists infront of the 1800? No packets will reach the ASA with destination containing those addresses. The traffic will stop in your router because it is doing NAT. Why don't you just put the router and the ASA on the same segment. I don't see any reason to why you're doing it like you're doing.
01-04-2010 05:33 AM
It is very much possible to do what Saravanan is trying to accomplish provided he configures the ASA and router properly.
Pls. also make sure that this traffic (static pat) is exempted in the nat overload list that you have added on the router. You need a deny before the permit.
-KS
01-04-2010 05:44 AM
saravanan,
Why dont you simplify your configuration by letting the ASA taking care of destination NAT translations instead. You dont need NAT enable on your internet router when you have a firewall that can handle NAT. By having NAT on both router & ASA you are adding more complexity!
Here is a simple design that will work for you http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t5
01-04-2010 06:11 AM
Exactly. I had suggested that the first time I responded to his query.
-KS
01-04-2010 07:44 AM
And doing that requires he changed his ip addressing schema and gets rid of NAT. So basically a completely new setup.
01-04-2010 07:44 PM
SOSo Dear Guys:
I think there will be 2 ways.
1.Disable NAT control on ASA, and put all NAT on router.
2.Divide public IP to 2 segments. The first on route outside, the second on route inside and ASA outside.So the NAT can reside on ASA and router.
THX
Keisikka
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide