Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1361
Views
0
Helpful
8
Replies

Cisco ASA CLI

r.arzouni
Level 1
Level 1

‎01-25-2011 05:37 AM - edited ‎03-11-2019 12:39 PM

Hi There,

Can you please help, I have servers sitting on the internal LAN inside 1( 192.168.76.0 /24 ) I would like all the hosts on this network to browse the internet by using the external address of the firewall (outside), I need to do a NAT to hide the private IPs and an Access rule ..Can you please help with the commands ?

When I try to Nat I get error overlaps with outside interface address !!

Many Thanks

Rabih

Labels:
0 Helpful
8 Replies 8

mirober2
Cisco Employee
Cisco Employee

‎01-25-2011 06:06 AM

Hi Rabih,

What version of ASA code are you running? It would help if you could post a sanitized copy of your current NAT configuration.

In general, this is what the syntax will look like on 8.0 or 8.2:

nat (inside) 1 192.168.76.0 255.255.255.0
global (outside) 1 interface

This is the syntax for 8.3:

object network obj-192.168.76.0
    subnet 192.168.76.0 255.255.255.0
    nat (inside,outside) dynamic interface

Hope that helps.

-Mike

0 Helpful

andamani
Cisco Employee
Cisco Employee

‎01-25-2011 06:13 AM

hi,

try the following:

nat(inside) 1 192.168.76.0 255.255.255.0

global(outside) 1 interface.

please post the output of commands "sh run nat" and "sh run global".

Regards,

Anisha

0 Helpful

r.arzouni
Level 1
Level 1
In response to andamani

‎01-25-2011 08:29 AM

sh run nat posted as requested:

ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 1 192.168.76.0 255.255.255.0
ciscoasanode1newbury(config)# sh run global
global (outside) 101 interface
ciscoasanode1newbury(config)#

I tried your command and this is what I get:

 
ciscoasanode1newbury(config)# global (outside) 1 interface
global for this range already exists
ciscoasanode1newbury(config)#

not sure what I am doing wrong

Many Thanks

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to r.arzouni

‎01-25-2011 08:31 AM

Hi Rabih,

In that case, you'll need to change your NAT statement. Just use this instead:

no nat (inside1SYHA) 1 192.168.76.0 255.255.255.0

nat (inside1SYHA) 101 192.168.76.0 255.255.255.0

-Mike

0 Helpful

r.arzouni
Level 1
Level 1
In response to r.arzouni

‎01-25-2011 09:02 AM

Hi Mike / All thanks for that,

I did add the nat rule as he said :

ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 101 192.168.76.0 255.255.255.0

I can ping the firewall but still can not browse the internet do I need to add a rule or something ?

Many Thanks

Rabih

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to r.arzouni

‎01-25-2011 09:04 AM

Hi Rabih,

That depends on what the rest of the configuration looks like. Try checking your rules with the packet-tracer to make sure everything looks correct:

packet-tracer in inside1SYHA udp 192.168.76.10 12345 4.2.2.2 53

packet-tracer in inside1SYHA tcp 192.168.76.10 12345 4.2.2.2 80

-Mike

0 Helpful

r.arzouni
Level 1
Level 1
In response to mirober2

‎01-25-2011 09:18 AM

Hi Mike

Outcome of the packet trace:


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside1SYHA
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

2nd trace:


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside1SYHA
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Cant you please help ?

Thanks

Rabih

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to r.arzouni

‎01-25-2011 09:22 AM

Hi Rabih,

What are the security levels of the inside1SYHA and outside interfaces?

You can permit traffic via an ACL like this:

access-list inside1SYHA_access_in permit ip any any

access-group inside1SYHA_access_in in interface inside1SYHA

That would allow all outbound IP traffic to go through the inside1SYHA interface. You can make that more restrictive if you'd like.

If that still doesn't work, please post a sanitized copy of your config.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card