cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1596
Views
0
Helpful
19
Replies

Problem setting up cisco ASA 5515 Ver 9.1(1)

b.mwlam
Level 1
Level 1

                   Hi,

I got the NAT problem setup in Ver 9.1(1).

object network outside-net

host 10.50.10.10

object network inside-net

host 192.168.1.10

nat (inside,outside) dynamic interface

object network www

host 192.168.1.10

nat (inside,outside) static outside-net service tcp 80 80

access-list acl-in permit ip any any

access-list acl-out permit ip any any

access-group acl-in in interface outside

access-group acl-out out interface inside

I can access internet from inside lan .

But the web server cant be accessed from internet.

The problem exist in ver 9.1 (1), but not in Ver 8.4.

Pls kindly help.

Thanks

Paul

19 Replies 19

b.mwlam
Level 1
Level 1

Hi All,

Actually, I only want a simple configuration.

inside network = 192.168.1.0/24

outside network = 10.50.10.0/27

Inside all can access to the internet.

and we only have one web server inside = 192.168.1.10.

this can be done in ver8.x but not in 9.1(1).

pls help.

Hello Mw,

So here is the thing

Let's say the internal server will be 4.2.2.2 on the outside OK?

nat (inside,outside) after-auto dynamic any interface

object network Internal-Server

host 192.168.1.10

Object network Outside-Server

host 4.2.2.2

nat (inside,outside) source static Internal-Server Outside-Server

access-list out-in permit tcp any host 192.168.1.10 eq 80

access-group out-in in interface outside

That's it, a configuration from scratch for free Now remember to always rate the helpful posts hehe

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for your reply. I'll try tmr and reply.

thx again

mw

Hi,

not work.

below is my config.

hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.50.10.215 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.217
host 10.50.10.217
access-list acl-in extended permit udp any object obj-172.25.20.21
access-list acl-in extended permit tcp any host 172.25.20.21 eq www
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217
!
nat (inside,outside) after-auto source dynamic any interface
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.50.10.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
<--- More --->
             
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:d829d2da705abcd074c24febefa1b369
: end

pls help.

mw

paolo bevilacqua
Hall of Fame
Hall of Fame
Wrong forum, post in "Security - Firewalling". You can move your posting using the Actions panel on the right.

Hi Paolo,

Thanks.

But where is the action panel?

mw

Hi mw,

nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217 is wrong, no "obj-210.3.166.217" is seen from your posted configuration.

follow what jcarvaja mentioned to configure the static nat rule, it should work.

Thx for your reply Xie,

The obj-210.3.166.217 should be replaced by  object network obj-10.50.10.217.

so, that rules also has an correct object.

but still does not work...........

the same config is work in ver 8.x.

thx

mw.

Arsen Gharibyan
Level 1
Level 1

@

mw lam

Hello you etiher need to have both way NAT or manually change it to (outside,inside)

Hi,

thx for your reply.

However, I can go out to internet from inside by apply the following config:

ciscoasa(config)# sh run object
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.216
host 10.50.10.216

ciscoasa(config)# sh run nat
nat (outside,inside) source static obj-10.50.10.216 obj-172.16.20.21
!
nat (inside,outside) after-auto source dynamic any interface

ciscoasa(config)# sh run access-list
access-list outside_access_in extended permit icmp any object obj-10.50.10.216
access-list outside_access_in extended permit tcp any host 172.16.20.21 eq www
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

ciscoasa(config)# sh run access-group
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

But still cant access to the web server of the object obj-172.26.20.21.

I read the post before in the forum , I also issue the command "sysopt noproxyarp outside" but also in vain.

Pls help.

mw.

One more thing. I do packet tracer, there is no problem from inside to outside. But fail from outside to inside in the step nat rules........

Config looks fine.let me ask you are u trying to access website from ur inside network using a web browser ?

thx for your reply.

yes, I can access through browser and I can ping the domain , too. eg. ping www.yahoo.com......

Hi Lam,

Found this in your configuration

"no arp permit-nonconnected"

Try removing this by

"arp permit-nonconnected"

Let me know if it worked...

Cheers,

Naveen

alright, will try and let you know asap.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: