Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 NAT Question 1

Status
Not open for further replies.
IHateXP

IHateXP

Technical User
May 28, 2002
47
0
0
GB
Hi Guys,

Bit of a n00b question here (sorry)

Did my ASA Course 6 Months + ago (Never seen one before then & haven't done PIX for around 7 Yrs) anyhow my firm get me a nice ASA 5505.

My Internal IP Range is a Standard Class C network

192.168.x.x 255.255.255.0

I have a Server on there whose internal IP is 192.168.x.10

On the ASA it has to be seen as 70.80.36.235 255.255.255.248

I need all traffic destined for 70.80.36.235 to be routed to 192.168.x.10.

I have set my external interface to 70.80.36.235 and my internal interface to 192.168.x.10

I have tried to create an any all rule from inside to outside but the connection keeps getting dropped

Any ideas why?

IT Mobile Engineering Team Leader
MCP since 2000 (7 in total)
Compaq APS
IBM Certs
All Round Good Egg
 
Sort by date Sort by votes
Hi, you need a static NAT entry and also an access list on the outside to allow the traffic in.

Something like:
static (inside,outside) 70.80.36.235 192.168.x.10

access-list OUTSIDE permit ip any host 70.80.36.235
access-group OUTSIDE in interface outside

The static command maps the outside address to your private server address, and the ACL allows traffic into the ASA to hit the private address on the outside interface.

However, with this config the address assigned to the outside physical interface on the ASA cannot be the same as the one assigned to the printer, you will need to change one of the addresses. Depneds on how many spare real addresses you have.


If you have worked on PIX before this may make some sense, if not let me know and I'll expalin in more detail.
 
Upvote 0 Downvote
Thanks for the tip, new I was missing something

Next time I'm on site with the ASA I'll let you know how I get on

IT Mobile Engineering Team Leader
MCP since 2000 (7 in total)
Compaq APS
IBM Certs
All Round Good Egg
 
Upvote 0 Downvote
Hi routerman,

I don't understand what you said "with this config the address assigned to the outside physical interface on the ASA cannot be the same as the one assigned to the printer".

I think I have that problem, I published a Thread ("NAT/PAT questions ASA5510")... Basically I'm using the same IP for PAT and for incoming Is that allowed?

Thank you
 
Upvote 0 Downvote
Hi Routeman,

Thanks for the input

ASA Version 7.2(4)
!
hostname ASA
domain-name cisco.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.80.36.235 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list ACLIN extended permit ip any any
access-list ACLIN extended permit tcp any any
access-list ACLIN extended permit icmp any any
access-list ACLOUT extended permit ip any any
access-list ACLOUT extended permit icmp any any
access-list ACLOUT extended permit tcp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
static (inside,outside) 70.80.36.230 192.168.x.10 netmask 255.255.255.255
access-group ACLIN in interface inside
access-group ACLOUT in interface outside
route outside 0.0.0.0 0.0.0.0 70.80.36.231 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.x.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:40d93da336e7f0e09e5ea5e7fc2b2542
: end


Please note the IP's aren't genuine (not that I don't trust you guys :) )

In the current config the packet flow (via ping) from inside to outside is fine.

However in this configuration packet flow (via ping) from outside to inside doesn't work.

What am I doing wrong?

IT Mobile Engineering Team Leader
MCP since 2000 (7 in total)
Compaq APS
IBM Certs
All Round Good Egg
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
118
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
154
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
143
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
85
gkreg
gkreg
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
51
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top