cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1555
Views
0
Helpful
6
Replies

asa 5505 web acces

Eric Arnould
Level 1
Level 1

Hello,

I have a problem with my setup on asa 5505.

Version of cisco is 8.0.2

At the begin all the IP in the inside interface have a web access.

I add a static rule for one IP of the inside interface , and after for this IP the web access does not run.

My question is How can I resolve this problem ?

My configuration is :

interface Vlan1

nameif inside

security-level 100

ip address 20.30.40.250 255.255.0.0

Interface Vlan2

nameif outside

security-level 0

ip address 99.99.99.99

static(inside,outside) 10.20.1.1 20.30.44.1 netmask 255.255.255.255

For the inside IP 20.30.44.1 the web access does not run.

Thanks by advance for your response

6 Replies 6

Yudong Wu
Level 7
Level 7

- Is IP 10.20.1.1 a valid IP in your network?

- If you are talking about web access to the internet, 10.20.1.1 is not a public IP, do you have another NAT device to nat it to a public IP?

- If you are positive on the above question, can you "clear xlate" and try again.

99.99.99.99 is the IP Wan of the Cisco.

I have a route to a getway :

route outside 0.0.0.0 0.0.0.0 999.999.999.999 1

No 10.20.1.1 is not a valid IP.

I am talking about web acces to the internet

I don't have another NAT device.

I had to say that I need to translate the IP 20.30.44.1 in 10.21.1.1 because I am using it in a VPN :

access-list no_nat extended permit ip host 10.21.1.1 10.20.0.0 255.255.0.0

crypto map vpn 11 set peer 888.888.888.888

The VPN is working.

I had to translate the IP 20.30.44.1 because I will have 11 Cisco for 11 diferents sites and they all will have the same local IP (20.30.44.1) and I need to setup a VPN between all this 11 Cisco and my Cisco in central.

1. Based on your info, you have overlap IP between the sites. So you do need NAT ip 20.30.44.1 to 10.21.1.1 before the packet goes into VPN tunnel. ACL no_nat will not be used.

2. Will the traffic to the internet go to VPN tunnel first and then access internet from your central site? Or it will access the internet locally? I don't have the full config of this ASA and not sure if you are using split-tunnel.

3. My guess is:

- You have dynamic nat configured on this ASA to NAT the traffic to internet

- After you add static NAT for host 20.30.44.1, it will take priority over dynamic nat and as a result it will be NATed to a private IP. Therefore, no internet access anymore.

- If the above is true, you should use a Policy static NAT here.

static (inside,outside) 10.20.1.1 access-list VPN

access-list vpn permit ip host 20.30.44.1 10.20.0.0 255.255.0.0

Traffic to Internet must be locally.

A part of my configuration is :

interface Vlan1

nameif inside

security-level 100

ip address 20.30.44.250 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 888.888.888.888

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

boot system disk0:/asa802-k8.bin

access-list no_nat extended permit ip 10.21.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list EURODATA extended permit ip host 20.30.44.1 10.20.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.21.1.1 access-list EURODATA

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set set2 esp-3des esp-sha-hmac

crypto map vpn 11 match address EURODATA

crypto map vpn 11 set pfs group5

crypto map vpn 11 set peer 999.999.999.999

crypto map vpn 11 set transform-set set1

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

With this configuration :

Internet locally for 20.30.44.1 is OK

VPN for 20.30.44.1 is not OK , when a look the packet in cisco central I see the ip 20.30.44.1 comming but not 10.21.1.1

You need create another ACL by using NATed IP 10.21.1.1 for "crypto map vpn 11 match address ". Please refer to the following example:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K05272321

Can you please remove "nat (inside) 0 access-list no_nat" and "clear xlate"? then "clear crypto isa sa" and "clear crypto ipsec sa" to let VPN tunnel to be rebuilted.

HTH

I followed your instructions and all is OK now.

We can say that the problem is resolved.

Many thanks for your help

Best regards

Eric Arnould , EURODATA France