07-22-2012 11:14 PM - edited 03-11-2019 04:33 PM
Hi all,
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
Solved! Go to Solution.
07-23-2012 12:06 AM
Post 8.2 version
object network MYSERVER
host 192.168.101.x
nat (inside,outside) static public_ip
Permission provided for access
access-list outsidein extended permit ip any object MYSERVER
Access list applied on interface on which public pool lands
access-group outsidein in interface outside
07-22-2012 11:54 PM
For Version till 8.2
Command to MAP private to public
static (inside,outside) public_ip 192.168.101.X netmask 255.255.255.255
Permission provided for access
access-list outsidein extended permit ip any host public_ip
Access list applied on interface on which public pool lands
access-group outsidein in interface outside
Here interface name is outside and access list name is outsidein.
07-22-2012 11:58 PM
Thank you, I will try the Command , it may help me.
07-23-2012 12:03 AM
I am using Cisco Adaptive Security Appliance Software Version 8.4(2). so the static (inside,outside) public_ip 192.168.101.X netmask 255.255.255.255 command doesnot work, any appropriate command for the above version ??
07-23-2012 12:06 AM
Post 8.2 version
object network MYSERVER
host 192.168.101.x
nat (inside,outside) static public_ip
Permission provided for access
access-list outsidein extended permit ip any object MYSERVER
Access list applied on interface on which public pool lands
access-group outsidein in interface outside
07-23-2012 10:19 PM
I configured my ASA 5510 with the above commands but now the server is not being able to connect to internet and the mapped public ip is not being able to get ping from internet as well as from the Same network inside.
07-23-2012 11:03 PM
Please provide me your running config.
The command for same is
show running-config
07-24-2012 12:23 AM
hi , here is the running config :
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zzzzzzzz encrypted
passwd zzzzzzzzzzz encrypted
names
dns-guard
!
interface Ethernet0/0
nameif wan1
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
nameif DMZ
security-level 0
ip address 192.168.101.1 255.255.255.224
!
interface Ethernet0/2
nameif INTERNAL-LAN
security-level 0
ip address 192.168.200.2 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
regex domainlist1 "login.live.com"
regex domainlist2 "login.live.com"
regex domainlist3 "yahoo.com"
!
time-range always
periodic daily 0:00 to 23:59
!
time-range off_hour
periodic daily 17:30 to 23:59
periodic daily 0:00 to 10:00
!
time-range office_hour
periodic daily 10:00 to 17:30
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone NPT 5 45
dns domain-lookup INTERNAL-LAN
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
name-server xxx.xxx.xxx.xxx
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.101.0
subnet 192.168.101.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network full_access_grp
host 192.168.40.92
object service Net_bios_port
service tcp source range 0 65535 destination range 445 445
object network VLAN-40
subnet 192.168.40.0 255.255.255.0
object network Test
host 192.168.40.25
object network testserver
host 192.168.101.3
object network mappedserver
host 192.168.40.92
object-group network Full_access_grp
network-object host 192.168.40.92
network-object host 192.168.40.14
object-group network Top_levels
network-object host 192.168.40.30
object-group network FB_allowed_grp
network-object host 192.168.33.50
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
protocol-object ip
protocol-object icmp
access-list mappedip extended permit ip any object testserver
access-list mappedip extended permit ip any object mappedserver
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu wan1 1500
mtu DMZ 1500
mtu INTERNAL-LAN 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-204.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (INTERNAL-LAN,wan1) dynamic interface
object network testserver
nat (DMZ,wan1) static xxx.xxx.xxx.xxx
object network mappedserver
nat (INTERNAL-LAN,wan1) static xxx.xxx.xxx.xxx
access-group mappedip in interface wan1
route wan1 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy 1
route INTERNAL-LAN 10.10.1.0 255.255.255.0 192.168.200.1 3
route INTERNAL-LAN 10.10.2.0 255.255.255.0 192.168.200.1 3
route INTERNAL-LAN 10.10.3.0 255.255.255.0 192.168.200.1 3
route INTERNAL-LAN 192.168.32.0 255.255.224.0 192.168.200.1 50
route INTERNAL-LAN 192.168.99.0 255.255.255.248 192.168.200.1 3
route DMZ 192.168.101.0 255.255.255.0 192.168.101.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.40.0 255.255.255.0 INTERNAL-LAN
http 192.168.101.0 255.255.255.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service password-recovery
telnet 192.168.200.0 255.255.255.252 INTERNAL-LAN
telnet 192.168.40.92 255.255.255.255 INTERNAL-LAN
telnet 192.168.40.0 255.255.255.0 INTERNAL-LAN
telnet 192.168.32.0 255.255.224.0 INTERNAL-LAN
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
class-map type regex match-any Blocklist
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
class BlockDomainsClass
reset log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http http_inspection_policy
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:daf6cc93137b486a20a15b926adc22c0
: end
07-24-2012 01:54 AM
Please change the security level it should be like:
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.101.1 255.255.255.224
interface Ethernet0/2
nameif INTERNAL-LAN
security-level 100
ip address 192.168.200.2 255.255.255.252
07-25-2012 03:33 AM
Thanks Gourav,
The Command Worked. All the problem with the server not getting pinged was the Routing Problem for the Public_IP From the ISP to our gateway P2P IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide