Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
6
Replies

Inbound to partner network

Trevor Peacock
Level 1
Level 1

‎02-27-2012 06:47 AM - edited ‎03-11-2019 03:35 PM

Hi,

I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network

eg

Internet address  94.175.x.100 goes to 151.5.3.100,

The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.

Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic

Thanks

Trevor

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎02-27-2012 07:06 AM

Trevor

For this to work you need a couple of things to be in place -

1) the ASA can reach the 151.5.3.0/24 network ie. it has a route to the 151.5.3.0/24 network

2) there is a default-route in your internal network that points back to the ASA so when 151.5.3.100 sends traffic back to 94.175.x.100 the return traffic goes back to the ASA.

If both of the above are in place then you would simply need to -

1) add a rule to the access-list applied to the outside interface of the ASA (assuming there is one) to allow the traffic

and

2) set up a static NAT for the 151.5.3.x clients eg.

static (inside,outside) 151.5.3.100 151.5.3.100

note that you can be more specific with the NAT if you only want to allow certain ports ie.

static (inside,outside) tcp 151.5.3.100 80 151.5.3.100 80 

would setup NAT only for port 80. Bear in mind though that you still need the acl allowing the access so if there are a lot of ports then the first static would make more sense. Also note these are pre 8.2 NAT commands so you may need to adjust if the OS version is more recent.

If the first 2 conditions are not in place you can still do it but you may need to do more things with NAT.

Jon

0 Helpful

Trevor Peacock
Level 1
Level 1
In response to Jon Marshall

‎02-27-2012 07:25 AM

Hi Jon,

Thanks replying

I have a route from the ASA to the 151.5.3.0/24 network and a traceroute from the ASA shows that this works, the destination server on the 151.5.3 network can see the ASA.

The NAT and ACL work for the service on 10.42.15 network.

So ...

Do I need to allow routing from the 151.5.3 network to the external internet addresses across the MPLS ???

eg on the router at the site ip route 94.x.y.z/24 151.5.3.gateway

Thanks

Trevor

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Trevor Peacock

‎02-27-2012 07:46 AM

Trevor

It depends on whether you have a default-route in your network pointing to the ASA. If you try a traceroute from the 151.5.3.x network to the internet address does it go to the ASA inside interface ?

Jon

0 Helpful

Trevor Peacock
Level 1
Level 1
In response to Trevor Peacock

‎02-27-2012 07:53 AM

Hi Jon,

After several hops it ends up on the ASA inside interface. The ASA in my office is the gateway of last resort for the entire MPLS

Thanks

Trevor

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Trevor Peacock

‎02-27-2012 07:57 AM

Trevor

That's good. So it should just be a case of setting up the static and adding the rule(s) to the access-list and you should be good to go.

Jon

0 Helpful

Trevor Peacock
Level 1
Level 1
In response to Jon Marshall

‎02-27-2012 07:59 AM

Jon,

Thanks for the help,

Ill try the config this evening and let you know how it goes.

Thanks again

Trevor

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card