Newbie - Help with Basic NAT on ASA 5505

dtushing123 · ‎10-05-2007

Guys,

I have an ASA5505 that I need to configure as follows,

inside networks

192.168.4.0/24

192.168.5.0/24

outside network

10.96.112.20/24

All I want to do is that the inside networks all get translated to 10.96.112.20 and that I can manage the box using 10.96.112.20.

Don't need anything else, DHCP. Just basically NAT for now.

I have the box sitting in front of me with basic config.

Can anyone help a brother out ?

:-)

Jon Marshall · ‎10-05-2007

Hi

nat (inside) 1 192.168.4.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

global (outside) 1 interface

This is assuming the outside interface of your pix is using the address 10.96.112.20.

To manage it from the outside you can use ssh or IPSEC. SSH is probably the way to go.

HTH

Jon

dtushing123 · ‎10-05-2007

Hi Jon, thanks for your reponse. How can I test this works before deploying it. I put a router on the inside and can ping the inside asa address. My laptop on the outside and can ping the outside asa address. They cannot see through the asa though ?

192.168.5.200 --> asa inside 192.168.5.234 ---> asa outside 10.96.112.20 ---> laptop 10.96.112.21

Appreciate any suggestions !

TIA

Jon Marshall · ‎10-05-2007

You need an access-list ie.

access-list acl_outside permit icmp any any

access-group acl_outside in interface outside

Then ping from router to laptop.

Jon

dtushing123 · ‎10-05-2007

Jon, I cannot seem to get this thing working. I am _so_ not the firewall person, this is my first:-) all I need to do is get this thing performing the NAT and so I can telnet to the outside address to manage it after it's installed at site - then the firewall peeps will take care of the rest :-) what am I doing wrong here ? Thanks again.

ASA Version 7.2(2)

!

hostname ciscoasa

enable password 8il5M/7PS/HH/mgc encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.234 255.255.255.0

!

interface Vlan2

nameif outside

security-level 100

ip address 10.96.112.15 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxxxxxxxxxxx encrypted

ftp mode passive

access-list acl_outside extended permit icmp any any

access-list acl_outside extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.4.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

access-group acl_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:0a4b8a707bce8a408f747562b06d4840

: end

dtushing123 · ‎10-05-2007

Hey Jon, thanks for all you help, I do appreciate it. I managed to get one of the firewall guys on it :-)