Solved: Re: Routing Issue on ASA please help

Vikrant Ambhore · ‎07-04-2011

Hello Friends,

I need Help For Configuring ASA, Please help, I think this is possible but verry complicated for me that's why I need guidence from you

Present Status

ISP Router (192.168.2.1)-------> Application Server(192.168.2.3)

There is Static NAT which is configured for 192.168.2.3 (Application Server),

Now I want to Attached ASA behind ISP Network But I can't Change Subnet of my Application Server but if need we can change Interface IP of ISP Router

ISP Router (192.168.4.1)-------> (192.168.4.101)ASA(192.168.2.1) ------------ Application Server(192.168.2.3)

My ISP router IP is 192.168.4.1 & it is plugged into fa0/0 of ASA & My Server is is pluged in ASA interface of 0/1 & want to Assagin Static NAT for Application Server, or Suggest any other way for this situation Please help me You can refer my Attached Configuration

Now I am able to ping

Application Server--------192.168.2.1

Application Server--------192.168.4.101

Application Server--------192.168.4.1

ASA------>192.168.2.1

ASA------>192.168.4.1

R1------>192.168.4.101

R1------>192.168.2.1

But I am not able to ping

Application Server-------->R1

R1---------->Application Server

also I am unable to access Internet from Application Server

vmilanov · ‎07-05-2011

Hi,

The dynamic NAT, that is the nat-global commands pair, allows translation creation for flows originating from the higher security-level interface to lower ones only. If you need to allow connections, originating from a lower security-level interface, as it is your 'Outside', then you have to create a static translation:

- pull out an IP address from your global pool, or use a new one from the same subnet to NAT the server:

no global (Outside) 1 192.168.4.102-192.168.4.254 netmask 255.255.255.0

global (Outside) 1 192.168.4.103-192.168.4.254 netmask 255.255.255.0

!

static (inside,Outside) 192.168.4.102 192.168.2.3 netmask 255.255.255.255

Also, you will need to create at least an inbound access-list to permit interesting traffic in. Then, apply it to the 'Outside' interface:

access-list acl_outside_in extended permit ip any host 192.168.4.102

access-group acl_outside_in in interface Outside

And optionally, you can enable some ICMPs to ASA's interfaces and ICMP inspection:

icmp permit any echo Outside

icmp permit any echo-reply Outside

icmp permit any unreachable Outside

icmp permit any time-exceeded Outside
!

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

!

end

HTH/Regards,

Vasil

View solution in original post

Latchum Naidu · ‎07-06-2011

Hi VIkrant,

So your Tulip router is directly connected to internet and ASA is connected to your Tulip Router. If this is correct then you no need to write static nat on the Tulip router as long as you have ASA and can do static nat on this ASA.

And what is 192.168.4.102, Vasil might be confused.

I think it is 192.168.4.101 (your applications server)

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Thotsaphon Lueangwattanaphong · ‎07-07-2011

Hi,

Please try this for testing.

ciscoasa(conf)#access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

ciscoasa(conf)#access-list outside_access_in extended permit icmp host 192.168.4.1 any

ciscoasa(conf)#access-group outside_access_in in interface Outside

ciscoasa(conf)#access-group inside_access_in in interface inside

HTH,

Toshi

View solution in original post

vmilanov · ‎07-05-2011

Hi,

The dynamic NAT, that is the nat-global commands pair, allows translation creation for flows originating from the higher security-level interface to lower ones only. If you need to allow connections, originating from a lower security-level interface, as it is your 'Outside', then you have to create a static translation:

- pull out an IP address from your global pool, or use a new one from the same subnet to NAT the server:

no global (Outside) 1 192.168.4.102-192.168.4.254 netmask 255.255.255.0

global (Outside) 1 192.168.4.103-192.168.4.254 netmask 255.255.255.0

!

static (inside,Outside) 192.168.4.102 192.168.2.3 netmask 255.255.255.255

Also, you will need to create at least an inbound access-list to permit interesting traffic in. Then, apply it to the 'Outside' interface:

access-list acl_outside_in extended permit ip any host 192.168.4.102

access-group acl_outside_in in interface Outside

And optionally, you can enable some ICMPs to ASA's interfaces and ICMP inspection:

icmp permit any echo Outside

icmp permit any echo-reply Outside

icmp permit any unreachable Outside

icmp permit any time-exceeded Outside
!

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

!

end

HTH/Regards,

Vasil

Vikrant Ambhore · ‎07-05-2011

Hi vmilanov,

Thanks for Your Reply

Is static nat possible on Tulip Router for Application Server ?

because there is Static NAT configured on ISP router for 192.168.2.3 (Application Server),

& Please help I have one query I am not sure why u did apply 192.168.4.102 ?

Please suggest

VIkrant

Latchum Naidu · ‎07-06-2011

Hi VIkrant,

So your Tulip router is directly connected to internet and ASA is connected to your Tulip Router. If this is correct then you no need to write static nat on the Tulip router as long as you have ASA and can do static nat on this ASA.

And what is 192.168.4.102, Vasil might be confused.

I think it is 192.168.4.101 (your applications server)

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Vikrant Ambhore · ‎07-06-2011

OK,

@Naidu

Thanks for Help,

Can you wrote configuration for ASA & my tulip Router, Because I am not getting you 100%

please look again

interface FastEthernet0/2

ip address A.A.A.248 255.255.255.0 A.A.A.A is my Static IP which is for Application Server

ip address 192.168.4.1 255.255.255.0 secondary

no ip directed-broadcast

ip nat inside

ip fast-switch enable

!

ip access-list extended internet

permit ip 192.168.4.0 255.255.255.0 any

permit ip 192.168.2.0 255.255.255.0 any

!

ip nat pool int A.A.A.248 A.A.A.248 255.255.255.0

ip nat inside source static 192.168.2.3 X.X.X.249 ------------------------Static NAT

ip nat inside source list internet pool int overload

Because there is 3 Static IP on Tulip Router,

X.X.X.248 is for Internet for internal LAN user

X.X.X.249 is for Application Server

X.X.X.250 is configured on interface Tunnel987

Then how to define Static NAT on ASA please explain or just wrot config, I will understand this

Thanks Dear, I am happy

Latchum Naidu · ‎07-06-2011

Hi Vikrant,

Here is the example how you can configure a static NAT on your ASA.

ASA(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224

ASA(config)# static (inside,outside) 209.165.202.129 access-list NET1

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Vikrant Ambhore · ‎07-06-2011

Again got confusion I 'm sorry @Naidu

Is 209.165.202.129 my Static IP ?

10.1.2.27 = ?

209.165.201.0 =?

It would be great if you will wrote with IP conf ?

Realy sorry for desturb

Thanks in Advance

Vikrant

Latchum Naidu · ‎07-06-2011

Hi Vikrant,

The below I just provided you the example.
You can replace the IP's with your real ones.

See the below reale config which i did in my ASA for static NAT.

static (inside,outside) 209.165.202.129 10.10.10.50 netmask 255.255.255.255

209.165.202.129: This can be your public IP which you have
10.10.10.50: This can be your Application server IP which will be nated to the above public IP and communicate outside world with that public IP.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Vikrant Ambhore · ‎07-07-2011

Hello,

I am Unable to Ping Tulip Interface (192.168.4.1) from Application Server also I am Unable to Browse Internet on Application Server, Please Help Me

Thanks

Vikrant

Latchum Naidu · ‎07-07-2011

Hi,

You are changing your issue by each and every post.

Your first post is for configuring NAT on ASA.
Then you put Tulip router in loop.
Now you are saying that you are not able to ping Tulip from Application server.

This is very typical to understand and provide solution.

What is the actual setup?
Where is the tulip router connected?
Where is your ASA connected and what is the role?
Where is your Application server is connected?

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Vikrant Ambhore · ‎07-07-2011

Hi Naidu,

Please look on Attached Diagram

ASA 0/0--->192.168.4.101

ASA 0/2---->192.168.2.1

Application Server 192.168.2.7

Tulip

0/1---->192.168.3.1

0/2-----> 192.168.4.1

I want to ping 192.168.4.1 from 192.168.2.7 ( Application Server)

I think Now clear, Sorry for complicated

VIkrant:)

Thotsaphon Lueangwattanaphong · ‎07-07-2011

Hi,

Please post current configurations on Router(Tullip) and ASA.

Toshi

Vikrant Ambhore · ‎07-07-2011

Hello thotsaphon,

Thanks for Responding,

Please Look on attached Config

I don't have Present Config of ASA, but I know I did changes only fromThis comment Please look vmilanov comment I did change only by his siggestion

Vikrant

Thotsaphon Lueangwattanaphong · ‎07-07-2011

Hi,

Please try this for testing.

ciscoasa(conf)#access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

ciscoasa(conf)#access-list outside_access_in extended permit icmp host 192.168.4.1 any

ciscoasa(conf)#access-group outside_access_in in interface Outside

ciscoasa(conf)#access-group inside_access_in in interface inside

HTH,

Toshi

Vikrant Ambhore · ‎07-09-2011

Hi All,

Thanks for Help, I Did ASA in Transperent mode

Thanks for Giving time