cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21469
Views
10
Helpful
21
Replies

ASA 5510 with Static NAT

psaravanan
Level 1
Level 1

Hi friends,

I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).

Inside ------------------------> ASA 5510 -----------------> 1800 router  ------>  outside

192.168.10.0/24    .254            10.1.1.253/30     .254/30            218.X.X.177

Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.

then i want to allow FTP, Telnet, Remote desktop, http, https also.

static (inside, outside) tcp 218.X.X.180 192.168.10.200 netmask 255.255.255.255


i want to access 192.168.10.200, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.

Router config

interface FastEthernet0/0
ip address 218.X.X.177 255.255.255.240
ip access-group 102 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.252
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.X.X.178
ip route 192.168.10.0 255.255.255.0 10.1.1.253
!
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask 255.255.255.240
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.0.0 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 127.0.0.0 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip 169.254.0.0 0.0.255.255 any
access-list 102 deny   ip 192.0.2.0 0.0.0.255 any
access-list 102 deny   ip 204.152.64.0 0.0.0.1 any
access-list 102 deny   ip 224.0.0.0 31.255.255.255 any
access-list 102 deny   icmp any any
access-list 102 deny   tcp any any eq ident
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 447
access-list 102 deny   tcp any any eq 81
access-list 102 deny   tcp any any eq 135
access-list 102 deny   tcp any any eq 444
access-list 102 deny   tcp any any eq 445
access-list 102 permit ip any any

ASA Config

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.1.1.253 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
ftp mode passive
access-list BROWSING extended permit ip 192.168.10.0 255.255.255.0 any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group INTERNET in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.254 1
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5

21 Replies 21

psaravanan,

Sounds like there is few things you need to take in to consideration based on what others have commented.

Question
=========
Is your internet router managed by your or ISP?

If you plan to have the NAT on the ASA since you are introducing the ASA in to your LAN (option i would go for) then you need to get ISP to allocate you a public IP's for connection between ASA->Router. This will require a small IP changes on your web tier between the ASA->Router and remove all NAT entries on the router and enable on ASA (simple config change). Looking at your configs you dont have a lot to change so you might be able to do it all in one go.

Or we try to get your existing design working.

I will build your existing config in the lab hopefully tonight test. will get back to you


Francisco..

OK I got Psaravanan setup working with Internet Router doing NAT and configured ASA with no nat-control enable. The ASA is only routing with NAT disable.

In the lab i setup 3 routers 1 ASA as:

ISP Router  - > WAN Router - This is ISP to Client router connectivity

WAN Router - > ASA FW- This is Client Internet Router to Client Firewall

ASA FW - Core Router - This is Client Firewall to Private Core switch

I used the Core router as client to test telnet connectivity by enabling NAT on WAN Router and enable ACL and routing on ASA to forward NATed telnet traffic to Core for telnet traffic from ISP Router.

See attachment for configs inc testing result..

Hope that makes sense...

Psaravanan,

To get your config going just use the config i have attached as an example to configure your ASA and static source NAT on your router. The config is very simple. If you decided to enable the NAT on the ASA then just follow URL i mentioned above.

Good luck..

Francisco

Thanks mr. Francisco,

My exciting setup is like this only, I already used static NAT in Router, but that router has hang after 20 minutes while using from outside. So i want to change the Static NAT in to ASA.

Then i configured Static NAT in ASA, but it's not working properly.

To enable NAT on the ASA for public connections then you gonna have to change IP's on interface between Your ISP router and ASA and make some changes to remove NAT on router and enable it on ASA.


Before going down that path try the steps below on your current setup and let us know outcome.


On the Router
#############

ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185

interface FastEthernet0/0
no ip access-group 102 in  (No need for this as your ASA is now taking care of this)

ON ASA
########


no Nat-Control
access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq [your traffic port] log
access-list INTERNET extended permit tcp host 218.X.X.185 host 192.168.10.115 eq [your traffic port]  log

no static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
no access-list INTERNET extended permit ip any any
no access-list INTERNET extended permit icmp any any

For example if you server is listening on http

access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq http log


Testing
########

Test by connecting to 218.X.X.184 on whatever port you are allowed on ASA (server inside should be listening on port)

Look at "SH ip nat translations" on your router - post the output

And debug flow on ASA and post the output

Dear:

The third way is removing the router.

THX

Keisikka

Sorry frnds,

till i can't able to resolve it.

In router side, i enable routing table.

ip route 192.168.10.0 255.255.255.0 10.1.1.253

then in ASA side, i enable the icmp permit.

icmp permit any OUTSIDE

from ASA to router ip 10.1.1.254, i can able to ping it.

from router to ASA ip 10.1.1.253, i can able to ping it. but 192.168.10.0 network any ip, i can't able to ping from router. I enabled the route.

I thing, if i can able to ping from router, then the problem will solve.

In ASA, I already enabled Static NAT to outside ip . Then router will pass all traffic to ASA which are coming fromm outside.

pls. give a valuable suggestion

I have ASA 5510 connected to the ISP router and Cisco switch 2948G-GE-TX inside:

PC====>2948G-GE-TX======>ASA 5510======>ISP (my actual lab for CCNA)

I can connect to the internet with no problem 

 

interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended deny tcp any 192.168.10.0 255.255.255.0 eq www
access-list 101 extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username kamal password MKjCmOlZGuYOo4cf encrypted

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.5-192.168.10.100 inside
dhcpd dns 192.168.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
you can use this template as a reference:

Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 192.168.1.254 255.255.255.252
ASA5510(config-if)# no shut

 

Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

 

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

 

Step 5: Configure Default Route towards the ISP (assume default gateway is 192.168.1.1)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.0

 

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 192.168.1.1
ASA5510(config)# dhcpd address 192.168.10.0-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside

Review Cisco Networking for a $25 gift card