Solved: Help me in Natting

pawanharlecisco · ‎07-13-2011

Hi ,

Please see the daigram attached .

I have Internet leased line which is connected to "Outside "Interface of ASA 5510.I address are mentioned in Daigram.

I have Few Public IP address given by ISP. I want to do static NAT in ASA for accessing my server from Internet, i am fresher in configuring ASA ,please guide me .I have also want 192.168.5.10; 192.168.5.11; 192.168.5.12; 192.168.5.13 this IP ca use Internet also, for OS updates

Public ip 2.2.2.5 mapped to 192.168.5.10

Public ip 2.2.2.6 mapped to 192.168.5.11

Public ip 2.2.2.7 mapped to 192.168.5.12

Public ip 2.2.2.8 mapped to 192.168.5.13

Please guide me.

varrao · ‎07-13-2011

Hi Pawan,

Just add the acl's:

access-list outside_access_in permit ip any host 2.2.25

do it simialrly for other servers as well, and it would work after that.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-14-2011

Hi Pawan,

as per your requirement here is the config that you can try:

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-list 101 permit ip any host 2.2.2.5

access-list 101 permit ip any host 2.2.2.6

access-list 101 permit ip any host 2.2.2.7

nat (outside) 10 access-list 101 outside

global (inside) 10 interface

The above configuration would allow only traffic from your 2.2.2.1 router for you internal servers.

the routes should be:

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

nat (inside) 1 0.0.0.0 0.0.0.0

global (bsnl) 1 interface.

Try it and let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-14-2011

Hi Pawan,

Everything looks good to me except these lines below, intsead of them you need to add these:

global (outside) 1 interfaceglobal (inside) 10 interface
nat (rbi) 10 access-list 101 outside
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route rbi 0.0.0.0 0.0.0.0 2.2.2.1 100

and remove this statement:

access-group 101 in interface rbi

we don't need it, the access-list 101 was created just to be used in the nat statement.

!

interface Ethernet2

nameif rbi

security-level 0

ip address 2.2.2.2 255.255.255.0

!

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list 101 outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 101 in interface rbi

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

Hope this works,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎07-13-2011

Hi Pawan,

Here is the config that you would need:

static (inside,outside) 2.2.2.5 192.168.5.10

exactly the same needs to be done for teh othere servers as well.

Let me know if you have any queries.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎07-13-2011

Here is configuration guide for NAT on ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-13-2011

Thanks Varun for the post,

I have configured as u said for all IP address, but whenever i'll try to ping 2.2.2.5 its not ping from internet.please suggets, please give me sample config for my senario for one ip IP 2.2.2.5 only, i will manage other, please help me ...

Please help me

varrao · ‎07-13-2011

Hi Pawan,

Ok lets take the case of ping on the firewall for ip 2.2.2.5:

you would need an access-list on the outside interface,

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

and the nat command:

static (inside,outside) 2.2.2.5 192.168.5.10

first make sure you are able to ping the ip 192.168.5.10 from the firewall, by doing "ping inside 192.168.5.10" and then test it.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-13-2011

Dear Varun Sir Thanks for the support,

I have configured as u suggested. Now i am able to ping 2.2.2.5; 2.2.2.6; 2.2.2.7. but not able to access this Ip, i want to permit all services from Public side.Below is sh run for the ASA.

Please kindly help me

-------------------------------------------------------------------------------

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 192.168.5.10

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b3e81ffd949d793e351873ae46369086

: end

varrao · ‎07-13-2011

Hi Pawan,

Just add the acl's:

access-list outside_access_in permit ip any host 2.2.25

do it simialrly for other servers as well, and it would work after that.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-13-2011

Dear Varun Sir,

i have applied this acl "access-list outside_access_in permit ip any host 2.2.2.5" for all ip address but stil its not done. I m not able to access Internel servers. Please suggest.

Thanks

Pawan

varrao · ‎07-13-2011

Hi Pawan,

Please provide me the running config from the ASA after adding all the changes that I had suggested you, it shoudl work, I'll have a look at it and let you know.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-13-2011

Thanks Sir,

Actually i have done a mistake while appling acces-list. After corecting it, now m able to access the servers from outside. Thanks Sir for the your support.below is sh run of asa .

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 2.2.2.5

access-list outside_access_in extended permit ip any host 2.2.2.6

access-list outside_access_in extended permit ip any host 2.2.2.7

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.3 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.4 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d791dcca076fc2bbf6662f149c8377bd

: end

ASA#

Regards

Pawan

varrao · ‎07-13-2011

Hey thats good..... Let me know if you afce any other issues.

-Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-13-2011

Sure sir.

pawanharlecisco · ‎07-14-2011

Varun Sir,

In the same topoploy , i have now pluged one bsnl modem in the interface e0,to give internet access to 192.168.5.0 network. for this i have configured below configuration but m not able to access internet using bsnl modem. but from 2.2.2.0 network m able to access the server as we configured recently. kindly suggets me.how can it be possile.

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

global (bsnl) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 2

........

pawan

varrao · ‎07-14-2011

Can you paste the running config again??? and can you tell me what changes you've done??? You have removed the 2.2.2.1 router and are now uising a bsnl modem instead???

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-14-2011

Sir,

No i have not removed 2.2.2.1 router. I have pluged bsnl in E0 inteface.below is sh run, after making changes.

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif bsnl

security-level 0

ip address 192.168.100.200 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif outside

security-level 0

ip address 2.2.2.2 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 2.2.2.5

access-list outside_access_in extended permit ip any host 2.2.2.6

access-list outside_access_in extended permit ip any host 2.2.2.7

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

pager lines 24

mtu inside 1500

mtu outside 1500

mtu bsnl 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (bsnl) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.3 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.4 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

route outside 0.0.0.0 0.0.0.0 192.168.100.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d791dcca076fc2bbf6662f149c8377bd

: end