03-15-2012 05:36 AM - edited 03-11-2019 03:42 PM
Hi
Hope someone can help me with the following problem.
I have an ASA 5510 that looks like this:
INTERFACE 0: DHCP (OUTSIDE)
INTERFACE 1: 10.45.0.1 255.255.255.0
INTERFACE 2: 192.168.0.1 255.255.255.0
I need to access the net (10.45.0.0 255.255.255.0) on INTERFACE 1 from all IP addresses (192.168.0.1 255.255.255.0) on INTERFACE 2
But all INTERFACE 2 addresses shall be translated to one single address (10.45.0.15) at INTERFACE 1
How can I do that ?
Thanks
Rex
03-15-2012 06:39 AM
What version of your ASA ?
03-15-2012 07:44 AM
8.03
03-15-2012 08:00 AM
I am not so sure of your interface names on your FW.
but I could assume as follows, in case they are not setup on your FW, please change those are in brakets (i.e. interface names) to reflect your ASA interface names.
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
INTERFACE 2: assumed security level less than 100.
INTERFACE 1: assumed security level equal to 100.
I hope this helps.
Thanks
Rizwan Rafeek.
03-16-2012 02:00 AM
rizwanr74
The way you suggest nat 1 to 1 a.a.a.1 vil translatet to b.b.b.1 , a.a.a.2 translatet to b.b.b.2
The way I wan is that entire a.a.a.a network wil be translatet to one single b.b.b.b address. Like PAT.
Best regards
Rex
03-16-2012 05:58 AM
dmz = INTERFACE 1:
inside = INTERFACE 2:
access−list policy−nat extended permit ip 192.168.0.0 255.255.255.0 10.45.0.0 255.255.255.0
global (dmz) 45 10.45.0.15
nat (inside) 45 access-list policy−nat
Let me know, if this helps.
thanks
03-19-2012 01:27 AM
Hi
Back on work after a great weekend :-)
OK i get the idea to make a virtual interface.
I have now implementet it, but somehow I can't get the access-list triggered ??
Even if it try for at short test to put in: ANY ANY ... nothing triggers the access-list.
Best regards
Rex
03-19-2012 03:39 AM
Hi Rex,
I think that the access-list for nat is too restrictive....
try
access−list policy−nat extended permit ip 192.168.0.0 255.255.255.0 any
Regards
Amanda
03-19-2012 04:48 AM
Hi Amanda
Same problem ... no hits on the access-list.
Here my setup:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.154 255.255.255.240
interface Ethernet0/1.40
vlan 123
nameif KUNDENET
security-level 60
ip address 192.168.123.1 255.255.255.0
interface Ethernet0/1.60
vlan 130
nameif SAS_LAN_10
security-level 55
ip address 10.45.0.1 255.255.248.0
access-list policy-nat extended permit ip 10.45.0.0 255.255.248.0 192.168.123.0 255.255.255.0
global (KUNDENET) 45 192.168.123.121
nat (SAS_LAN_10) 45 access-list policy-nat
global (OUTSIDE) 1 interface
global (KUNDENET) 45 192.168.123.121
nat (SAS_LAN_10) 0 access-list NO_NAT
nat (SAS_LAN_10) 45 access-list policy-nat
nat (SAS_LAN_10) 1 10.45.0.0 255.255.248.0
nat (KUNDENET) 0 access-list NO_NAT
nat (KUNDENET) 1 192.168.123.0 255.255.255.0
The NO_NAT's are for some VPN tunnels
// Rex
03-19-2012 12:27 PM
You need an ACL permit entry to enter high security(KUNDENET) zone interface from lower security (SAS_LAN_10)
zone interface.
access−list kundenet-in extended permit ip 10.45.0.0 255.255.248.0 192.168.123.0 255.255.255.0
access-group kundenet-in in interface KUNDENET
let me know, if that helps.
thanks
Rizwan Rafeek
03-20-2012 03:18 AM
Hi Rex
Try a couple of things for me please.
Use the show nat command to see what NAT will be applied to the various interfaces and try setting the SAS_LAN_10 interface security level to 60.
Use the same-security-traffic permit inter-interface command.
The nat works by letting traffic from a protected interface go to a less protected or same level interface (with the command above).
Thanks very much
Regards,
Amanda Lalli-Cafini
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide