12-15-2009 09:39 AM - edited 03-11-2019 09:48 AM
Hi friends,
I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).
Inside ------------------------> ASA 5510 -----------------> 1800 router ------> outside
192.168.10.0/24 .254 10.1.1.253/30 .254/30 218.X.X.177
Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.
then i want to allow FTP, Telnet, Remote desktop, http, https also.
static (inside, outside) tcp 218.X.X.180 192.168.10.200 netmask 255.255.255.255
i want to access 192.168.10.200, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.
Router config
interface FastEthernet0/0
ip address 218.X.X.177 255.255.255.240
ip access-group 102 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.252
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.X.X.178
ip route 192.168.10.0 255.255.255.0 10.1.1.253
!
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask 255.255.255.240
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.0.0 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip host 127.0.0.0 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 192.0.2.0 0.0.0.255 any
access-list 102 deny ip 204.152.64.0 0.0.0.1 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny icmp any any
access-list 102 deny tcp any any eq ident
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 447
access-list 102 deny tcp any any eq 81
access-list 102 deny tcp any any eq 135
access-list 102 deny tcp any any eq 444
access-list 102 deny tcp any any eq 445
access-list 102 permit ip any any
ASA Config
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.1.1.253 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
ftp mode passive
access-list BROWSING extended permit ip 192.168.10.0 255.255.255.0 any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group INTERNET in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.254 1
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
01-05-2010 05:42 AM
psaravanan,
Sounds like there is few things you need to take in to consideration based on what others have commented.
Question
=========
Is your internet router managed by your or ISP?
If you plan to have the NAT on the ASA since you are introducing the ASA in to your LAN (option i would go for) then you need to get ISP to allocate you a public IP's for connection between ASA->Router. This will require a small IP changes on your web tier between the ASA->Router and remove all NAT entries on the router and enable on ASA (simple config change). Looking at your configs you dont have a lot to change so you might be able to do it all in one go.
Or we try to get your existing design working.
I will build your existing config in the lab hopefully tonight test. will get back to you
Francisco..
01-05-2010 04:54 PM
OK I got Psaravanan setup working with Internet Router doing NAT and configured ASA with no nat-control enable. The ASA is only routing with NAT disable.
In the lab i setup 3 routers 1 ASA as:
ISP Router - > WAN Router - This is ISP to Client router connectivity
WAN Router - > ASA FW- This is Client Internet Router to Client Firewall
ASA FW - Core Router - This is Client Firewall to Private Core switch
I used the Core router as client to test telnet connectivity by enabling NAT on WAN Router and enable ACL and routing on ASA to forward NATed telnet traffic to Core for telnet traffic from ISP Router.
See attachment for configs inc testing result..
Hope that makes sense...
Psaravanan,
To get your config going just use the config i have attached as an example to configure your ASA and static source NAT on your router. The config is very simple. If you decided to enable the NAT on the ASA then just follow URL i mentioned above.
Good luck..
Francisco
01-06-2010 08:42 AM
Thanks mr. Francisco,
My exciting setup is like this only, I already used static NAT in Router, but that router has hang after 20 minutes while using from outside. So i want to change the Static NAT in to ASA.
Then i configured Static NAT in ASA, but it's not working properly.
01-06-2010 09:26 AM
To enable NAT on the ASA for public connections then you gonna have to change IP's on interface between Your ISP router and ASA and make some changes to remove NAT on router and enable it on ASA.
Before going down that path try the steps below on your current setup and let us know outcome.
On the Router
#############
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
interface FastEthernet0/0
no ip access-group 102 in (No need for this as your ASA is now taking care of this)
ON ASA
########
no Nat-Control
access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq [your traffic port] log
access-list INTERNET extended permit tcp host 218.X.X.185 host 192.168.10.115 eq [your traffic port] log
no static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
no access-list INTERNET extended permit ip any any
no access-list INTERNET extended permit icmp any any
For example if you server is listening on http
access-list INTERNET extended permit tcp host 218.X.X.184 host 192.168.10.114 eq http log
Testing
########
Test by connecting to 218.X.X.184 on whatever port you are allowed on ASA (server inside should be listening on port)
Look at "SH ip nat translations" on your router - post the output
And debug flow on ASA and post the output
01-05-2010 09:24 PM
Dear:
The third way is removing the router.
THX
Keisikka
01-11-2010 10:08 AM
Sorry frnds,
till i can't able to resolve it.
In router side, i enable routing table.
ip route 192.168.10.0 255.255.255.0 10.1.1.253
then in ASA side, i enable the icmp permit.
icmp permit any OUTSIDE
from ASA to router ip 10.1.1.254, i can able to ping it.
from router to ASA ip 10.1.1.253, i can able to ping it. but 192.168.10.0 network any ip, i can't able to ping from router. I enabled the route.
I thing, if i can able to ping from router, then the problem will solve.
In ASA, I already enabled Static NAT to outside ip . Then router will pass all traffic to ASA which are coming fromm outside.
pls. give a valuable suggestion
01-16-2019 11:40 AM
I have ASA 5510 connected to the ISP router and Cisco switch 2948G-GE-TX inside:
PC====>2948G-GE-TX======>ASA 5510======>ISP (my actual lab for CCNA)
I can connect to the internet with no problem
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended deny tcp any 192.168.10.0 255.255.255.0 eq www
access-list 101 extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username kamal password MKjCmOlZGuYOo4cf encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.5-192.168.10.100 inside
dhcpd dns 192.168.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
you can use this template as a reference:
Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 192.168.1.254 255.255.255.252
ASA5510(config-if)# no shut
Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut
Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Step 5: Configure Default Route towards the ISP (assume default gateway is 192.168.1.1)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.0
Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 192.168.1.1
ASA5510(config)# dhcpd address 192.168.10.0-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide