Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2063
Views
10
Helpful
6
Replies

ASA_NAT for outside to inside traffic

Go to solution
Don Jacob
Level 1
Level 1

‎09-18-2012 03:58 AM - edited ‎03-11-2019 04:55 PM

I am not sure if NAT is the solution, but here is my problem:

For a test lab I have the following setup: (The IP's are in 192.168.49.x range and subnetted as /29)

Landing server(192.168.49.26)---(192.168.49.25/29)-[[Cisco6500]]-(49.1/29)---(49.2)Cisco ASA(192.168.55.81)---laptop(192.168.55.82)

(NOTE: landing server gateway is 49.25 and laptop gateway is 55.81)

The C6500 is the core of the test lab to which the "landing server" with IP Address 192.168.49.26 is connected. The interface to which this server is connected has the IP 192.168.49.25/29. I have 2 more L2 switches connected to the Cisco 6500 on 2 VLANs, namely VLAN 10 and 11 and some computers connected to those L2 switches. The VLAN's have the IP of 49.9/29 and .17/29 respectively. The communication between the devices connected to Cisco6500 works fine.

I have an ASA firewall with with a default config and no ACLs (sh access-list/group is blank), etc. The Cisco ASA firewall (inside interface IP 192.168.49.2/29) is connected to an interface on the Cisco6500 whose IP Address is 192.168.49.1/29. Again, the rest of the devices connected to the Cisco 6500 is able to reach the inside interface of the Cisco ASA. The outside interface of the Cisco ASA has the IP 192.168.55.81/24.

The requirement is that LAN users, who can reach 192.168.55.81, should end up reaching 192.168.49.26 (server IP) when they RDP to 192.168.55.81. Once they reach this landing server, users will telnet or SSH to other devices and servers for their testing. I am unable to get ASDM work on the machines I have and so my only option is CLI. For test, I connected a laptop with IP 192.168.55.82/24 and gateway as 192.168.55.81 to the outside of the Cisco ASA.

The device is Cisco ASA 5540 with IOS 7.0(7). I have set a static route as below:

route inside 192.168.49.0 255.255.255.0 192.168.49.1 (for users to reach 49.0 network through 6500 whose connected to ASA port is 49.1)

route outside 0.0.0.0 0.0.0.0 192.168.55.82 (so that return traffic from the 6500 can reach back to the user)

I also set the below NAT:

static (inside,outside) 192.168.55.81 192.168.49.26 netmask 255.255.255.255

I am unable to ping the server IP from the 55.82 laptop and viceversa. What am I missing here?

Regards,

Don Thomas

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-18-2012 04:09 AM

Because you are using the ASA interface ip address as the translation, you would need to configure static PAT instead of static NAT, and it should be as follows for RDP access:

static (inside,outside) tcp interface 3389 192.168.49.26 3389 netmask 255.255.255.255

access-list outside-acl permit tcp any host 192.168.55.81 eq 3389

access-group outside-acl in interface outside

The above will allow RDP access to 192.168.49.26 server when you use the ip address of 192.168.55.81.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-18-2012 04:09 AM

Because you are using the ASA interface ip address as the translation, you would need to configure static PAT instead of static NAT, and it should be as follows for RDP access:

static (inside,outside) tcp interface 3389 192.168.49.26 3389 netmask 255.255.255.255

access-list outside-acl permit tcp any host 192.168.55.81 eq 3389

access-group outside-acl in interface outside

The above will allow RDP access to 192.168.49.26 server when you use the ip address of 192.168.55.81.

0 Helpful

Go to solution
Don Jacob
Level 1
Level 1
In response to Jennifer Halim

‎09-18-2012 06:52 AM

Hi,

I talked to my team and managed to get 2 public IP Addresses. The users will connect to the public IP Addresses to reach the network. So, say 192.168.30.110 and 192.168.30.111 are the IP Addresses I can use on the outside and for NAT, what changes will I need to make?

Why do I need 2 IP Addresses? My admin said 1 is for the outside interface using which I manage the FW and the other is for the NAT. Do I need to assign the 2nd IP too to my outside interface as, maybe a secondary IP or I just use it when applying the static command?

And sorry if my questions seems stupid, but I must admit I am completely new to this routing and ASA stuff.

Regards,

Don

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Don Jacob

‎09-18-2012 07:02 AM

You just have to configure the spare public ip address on the static statement.

So say that you are going to NAT your server with real IP of 192.168.49.26 to 1.1.1.1 (a spare public IP), then your static statement will say:

static (inside,outside) 1.1.1.1 192.168.49.26 netmask 255.255.255.255

access-list outside-acl permit tcp any host 1.1.1.1 eq 3389

access-group outside-acl in interface outside

You don't really need 2 public IP, you can use the one that you assign to the outside interface for static PAT as well as i advised in the earlier post. But it's good that you get 2 extra public IP addresses, so you can just do 1:1 static NAT instead of static PAT.

Go to solution
Don Jacob
Level 1
Level 1
In response to Jennifer Halim

‎09-18-2012 11:10 AM

The c6500 is connected to the firewall inside interface. The interface on c6500 has the IP 192.168.49.1/29 and the firewall inside interface has 192.168.49.2/29.

The server, 192.168.49.26/29 (connected to cisco6500 on port with 192.168.49.25/29) can ping the inside interface but not the NAT IP or the IP of the outside interface. I have attached the Cisco ASA and Cisco6500 configuration.

How can I get the internal server to reach the outside and vice versa...

Regards,

Don

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
135222-c6500 output.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Don Jacob

‎09-18-2012 11:13 PM

Yes, it is by design that you can't ping the NATed IP from the inside server, nor can you ping the outside interface of the ASA from the inside network. You can only ping the inside interface of the ASA from the inside network, not cross the interface and ping the outside interface of the ASA.

You should be able to ping the laptop on the outside from your server. Just make sure that your laptop doesn't have any windows firewall enabled that normally prevents inbound access.

Go to solution
Don Jacob
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2012 11:01 PM

Awesome.. I did it as you said and everything is perfect. Thank you so much..

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card