01-25-2011 05:37 AM - edited 03-11-2019 12:39 PM
Hi There,
Can you please help, I have servers sitting on the internal LAN inside 1( 192.168.76.0 /24 ) I would like all the hosts on this network to browse the internet by using the external address of the firewall (outside), I need to do a NAT to hide the private IPs and an Access rule ..Can you please help with the commands ?
When I try to Nat I get error overlaps with outside interface address !!
Many Thanks
Rabih
01-25-2011 06:06 AM
Hi Rabih,
What version of ASA code are you running? It would help if you could post a sanitized copy of your current NAT configuration.
In general, this is what the syntax will look like on 8.0 or 8.2:
nat (inside) 1 192.168.76.0 255.255.255.0
global (outside) 1 interface
This is the syntax for 8.3:
object network obj-192.168.76.0
subnet 192.168.76.0 255.255.255.0
nat (inside,outside) dynamic interface
Hope that helps.
-Mike
01-25-2011 06:13 AM
hi,
try the following:
nat(inside) 1 192.168.76.0 255.255.255.0
global(outside) 1 interface.
please post the output of commands "sh run nat" and "sh run global".
Regards,
Anisha
01-25-2011 08:29 AM
sh run nat posted as requested:
ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 1 192.168.76.0 255.255.255.0
ciscoasanode1newbury(config)# sh run global
global (outside) 101 interface
ciscoasanode1newbury(config)#
I tried your command and this is what I get:
ciscoasanode1newbury(config)# global (outside) 1 interface
global for this range already exists
ciscoasanode1newbury(config)#
not sure what I am doing wrong
Many Thanks
01-25-2011 08:31 AM
Hi Rabih,
In that case, you'll need to change your NAT statement. Just use this instead:
no nat (inside1SYHA) 1 192.168.76.0 255.255.255.0
nat (inside1SYHA) 101 192.168.76.0 255.255.255.0
-Mike
01-25-2011 09:02 AM
Hi Mike / All thanks for that,
I did add the nat rule as he said :
ciscoasanode1newbury(config)# sh run nat
nat (management) 101 0.0.0.0 0.0.0.0
nat (inside1SYHA) 101 192.168.76.0 255.255.255.0
I can ping the firewall but still can not browse the internet do I need to add a rule or something ?
Many Thanks
Rabih
01-25-2011 09:04 AM
Hi Rabih,
That depends on what the rest of the configuration looks like. Try checking your rules with the packet-tracer to make sure everything looks correct:
packet-tracer in inside1SYHA udp 192.168.76.10 12345 4.2.2.2 53
packet-tracer in inside1SYHA tcp 192.168.76.10 12345 4.2.2.2 80
-Mike
01-25-2011 09:18 AM
Hi Mike
Outcome of the packet trace:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside1SYHA
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
2nd trace:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside1SYHA
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Cant you please help ?
Thanks
Rabih
01-25-2011 09:22 AM
Hi Rabih,
What are the security levels of the inside1SYHA and outside interfaces?
You can permit traffic via an ACL like this:
access-list inside1SYHA_access_in permit ip any any
access-group inside1SYHA_access_in in interface inside1SYHA
That would allow all outbound IP traffic to go through the inside1SYHA interface. You can make that more restrictive if you'd like.
If that still doesn't work, please post a sanitized copy of your config.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide