Solved: Help me in Natting - Page 2

pawanharlecisco · ‎07-13-2011

Hi ,

Please see the daigram attached .

I have Internet leased line which is connected to "Outside "Interface of ASA 5510.I address are mentioned in Daigram.

I have Few Public IP address given by ISP. I want to do static NAT in ASA for accessing my server from Internet, i am fresher in configuring ASA ,please guide me .I have also want 192.168.5.10; 192.168.5.11; 192.168.5.12; 192.168.5.13 this IP ca use Internet also, for OS updates

Public ip 2.2.2.5 mapped to 192.168.5.10

Public ip 2.2.2.6 mapped to 192.168.5.11

Public ip 2.2.2.7 mapped to 192.168.5.12

Public ip 2.2.2.8 mapped to 192.168.5.13

Please guide me.

varrao · ‎07-14-2011

Hi Pawan,

We cannot have two default routes on the ASA, the packet would always take the route defined by lower mettric which is:

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

I am not sure why you are implementing such a thing, you have two interfaces configured through which the same internal network would access internet, so that would get complicated.

If you are just testing the bsnl modem link, remove the first route and then add:

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

and moreover on interface e0, you have a private IP address, and we woudl need a public IP like 2.2.2.2 to access the internet.

Also these access-list are not needed:

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

Let me know if this works.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-14-2011

Sir,

i want use bsnl as my default route. and give static route for servers because there are only some specific ip add which will acess the server thats y no need give default route towards 2.2.2.1.

Now my purpose the that,

1: the network 192.168.5.0 will use internet using bsnl line

2:and is some specific ip add want to access the server then they have to use 2.2.2.0 newtork which we was statically natted earlier.

varrao · ‎07-14-2011

Hi Pawan,

as per your requirement here is the config that you can try:

static (inside,outside) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,outside) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,outside) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-list 101 permit ip any host 2.2.2.5

access-list 101 permit ip any host 2.2.2.6

access-list 101 permit ip any host 2.2.2.7

nat (outside) 10 access-list 101 outside

global (inside) 10 interface

The above configuration would allow only traffic from your 2.2.2.1 router for you internal servers.

the routes should be:

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

nat (inside) 1 0.0.0.0 0.0.0.0

global (bsnl) 1 interface.

Try it and let me know if it works.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-14-2011

thank you sir,it done sucessfully .

please c below config. If still need any change tell me.From below config if there is any useless command i configured,please guide me so that i can remove it.

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.100.200 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif rbi

security-level 0

ip address 2.2.2.2 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit ip any host 2.2.2.5

access-list 101 extended permit ip any host 2.2.2.6

access-list 101 extended permit ip any host 2.2.2.7

access-list outside-in extended permit icmp any any

access-list outside-in extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu rbi 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list 101 outside

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,rbi) 2.2.2.5 192.168.5.10 netmask 255.255.255.255

static (inside,rbi) 2.2.2.6 192.168.5.11 netmask 255.255.255.255

static (inside,rbi) 2.2.2.7 192.168.5.12 netmask 255.255.255.255

access-group outside-in in interface outside

access-group 101 in interface rbi

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

pixfirewall#

varrao · ‎07-14-2011

Hi Pawan,

Everything looks good to me except these lines below, intsead of them you need to add these:

global (outside) 1 interfaceglobal (inside) 10 interface
nat (rbi) 10 access-list 101 outside
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route rbi 0.0.0.0 0.0.0.0 2.2.2.1 100

and remove this statement:

access-group 101 in interface rbi

we don't need it, the access-list 101 was created just to be used in the nat statement.

!

interface Ethernet2

nameif rbi

security-level 0

ip address 2.2.2.2 255.255.255.0

!

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list 101 outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 101 in interface rbi

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 2.2.2.1 100

Hope this works,

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-21-2011

Dear Varun Sir,

Thanks for your help and support...

Finaly because of you only i have done this sucessfully.

Please have a look for final config.

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.100.200 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif juniper

security-level 0

ip address 10.34.249.50 255.255.255.224

!

interface Ethernet3

nameif dmz

security-level 10

ip address 192.168.6.1 255.255.255.0

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list outside-in extended permit ip any any

access-list outside-in extended permit icmp any any

access-list juniper-in extended permit ip any host 10.34.249.35

access-list juniper-in extended permit ip any host 10.34.249.36

access-list juniper-in extended permit ip any host 10.34.249.37

access-list dmz-in extended permit ip any any

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit ip any host 10.34.249.35

access-list dmz-in extended permit ip any host 10.34.249.36

access-list dmz-in extended permit ip any host 10.34.249.37

pager lines 24

mtu outside 1500

mtu inside 1500

mtu juniper 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 10 interface

nat (outside) 10 access-list juniper-in outside

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,juniper) 10.34.249.35 192.168.5.10 netmask 255.255.255.255

static (inside,juniper) 10.34.249.36 192.168.5.11 netmask 255.255.255.255

static (inside,juniper) 10.34.249.37 192.168.5.12 netmask 255.255.255.255

static (inside,dmz) 10.34.249.35 192.168.5.10 netmask 255.255.255.255

static (inside,dmz) 10.34.249.36 192.168.5.11 netmask 255.255.255.255

static (inside,dmz) 10.34.249.37 192.168.5.12 netmask 255.255.255.255

access-group outside-in in interface outside

access-group juniper-in in interface juniper

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 10.34.249.33 100

route outside 0.0.0.0 0.0.0.0 192.168.6.2 101

route dmz 192.168.168.0 255.255.255.0 192.168.6.2 1

route dmz 192.168.169.0 255.255.255.0 192.168.6.2 1

route dmz 192.168.170.0 255.255.255.0 192.168.6.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

prompt hostname context

Cryptochecksum:a070fee62a7b83f54f5926ad32f67603

: end

Thanks/Regards

Pawan Harle

varrao · ‎07-21-2011

Hi Pawan,

Everything looks fine, you would just need the nat statement as well:

nat (dmz) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

for DMZ users to access serevrs in inside and go to internet as well.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

pawanharlecisco · ‎07-21-2011

sir,

Sir Dmz user have their own gateway to access internet thats y no need through internet via ASA.

To access server connected to dmz interface i have put below commands.

route dmz 192.168.168.0 255.255.255.0 192.168.6.2 1

route dmz 192.168.169.0 255.255.255.0 192.168.6.2 1

route dmz 192.168.170.0 255.255.255.0 192.168.6.2 1

thanks,

pawan