Announcement

Collapse
No announcement yet.

Cisco ASA Translation (WAS: Re: ASA 5505 Port Forwarding, NAT error)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA Translation (WAS: Re: ASA 5505 Port Forwarding, NAT error)

    Hello People!

    I'm having the same problem of NAN.

    I need a nat to 2 servers that are inside interface of an http and other DNS.
    I tried the commands above but nothing, could you help me?

    Here my configuration:

    Code:
    : Saved
    :
    ASA Version 7.2(3) 
    !
    hostname PSAO
    domain-name e-provider.com.br
    enable password tWBRqLrR3a7s/z0p encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.0.11 255.255.255.0 
     ospf cost 10
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address 2xx.xx.xx.xx 255.255.255.0 
     ospf cost 10
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
     switchport access vlan 2
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone BRST -3
    clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
    dns server-group DefaultDNS
     domain-name e-provider.com.br
    same-security-traffic permit intra-interface
    access-list PSAOHOME_splitTunnelAcl standard permit any 
    access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
    access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
    access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240 
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.240 192.168.1.32 255.255.255.224 
    access-list inside_nat0_outbound extended permit ip any 192.168.0.32 255.255.255.224 
    access-list PSAOHOME2_splitTunnelAcl standard permit any 
    access-list PSAOHOME_splitTunnelAcl_1 standard permit any 
    access-list outside_access_in extended permit ip any any 
    access-list outside_access_in extended permit tcp any host 192.168.0.13 eq www 
    access-list outside_access_in extended permit tcp any host 192.168.0.8 eq domain 
    access-list outside_access_in extended permit tcp any host 2xx.xx.xx.xx eq www 
    access-list outside_access_in extended permit tcp any host 2xx.xx.xx.xx eq domain 
    access-list bind extended permit tcp any host 2xx.xx.xx.xx eq domain 
    access-list server_nat extended permit tcp any host 192.168.0.8 eq domain 
    access-list server_nat extended permit udp any host 192.168.0.8 eq domain 
    access-list server_nat extended permit ip host 192.168.0.8 any 
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1500
    ip local pool PSAO 192.168.0.40-192.168.0.49 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 2xx.xx.xx.xx www 192.168.0.13 www netmask 255.255.255.255 
    static (inside,outside) tcp 2xx.xx.xx.xx domain 192.168.0.8 domain netmask 255.255.255.255 
    static (inside,outside) udp 2xx.xx.xx.xx domain 192.168.0.8 domain netmask 255.255.255.255 
    static (outside,inside) tcp 192.168.0.8 domain 2xx.xx.xx.xx domain netmask 255.255.255.255 
    static (outside,inside) udp 192.168.0.8 domain 2xx.xx.xx.xx domain netmask 255.255.255.255 
    static (inside,outside) 2xx.xx.xx.xx 192.168.0.8 netmask 255.255.255.255 
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 2xx.xx.xx.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa authorization command LOCAL 
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set Myset esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto dynamic-map outside_dyn_map 20 set transform-set Myset
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs 
    crypto map outside_map 1 set peer 7x.xx.xx.xx 
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity address 
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000 
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd update dns 
    !
    dhcpd address 192.168.0.60-192.168.0.69 inside
    dhcpd dns 200.160.127.4 192.168.0.1 interface inside
    dhcpd domain e-provider interface inside
    dhcpd update dns interface inside
    !
    
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny 
      inspect sunrpc 
      inspect xdmcp 
      inspect sip 
      inspect netbios 
      inspect tftp 
    !
    service-policy global_policy global
    group-policy PSAOHOME internal
    group-policy PSAOHOME attributes
     dns-server value 192.168.0.1 2xx.xx.xx.xx
     vpn-idle-timeout 30
     vpn-tunnel-protocol IPSec 
     ipsec-udp enable
     ipsec-udp-port 10000
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value PSAOHOME_splitTunnelAcl_1
     default-domain value e-provider
    username rodrigo password 0NXpGcBjykYrd3.x encrypted privilege 15
    username andre password eeFqtwZW7zjTAtcw encrypted privilege 15
    tunnel-group 7x.xx.xx.xx type ipsec-l2l
    tunnel-group 7x.xx.xx.xx ipsec-attributes
     pre-shared-key *
    tunnel-group PSAOHOME type ipsec-ra
    tunnel-group PSAOHOME general-attributes
     address-pool PSAO
     default-group-policy PSAOHOME
    tunnel-group PSAOHOME ipsec-attributes
     pre-shared-key *
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context 
    Cryptochecksum:c0559cceb3d843497a296e78d700a968
    : end
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    Thanks

    Rodrigo
    Last edited by AndyJG247; 16th March 2009, 17:33.

  • #2
    Re: Cisco ASA Translation (WAS: Re: ASA 5505 Port Forwarding, NAT error)

    I've moved your post to a new thread. Even if you think they are the same problem please do not hijack another persons thread.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco ASA Translation (WAS: Re: ASA 5505 Port Forwarding, NAT error)

      Sorry i'm desesperate!!!!!

      Comment


      • #4
        Re: Cisco ASA Translation (WAS: Re: ASA 5505 Port Forwarding, NAT error)

        If you are wanting inbound connections for HTTP and DNS then my first question is why DNS?

        Secondly, you have:

        Code:
        access-list outside_access_in extended permit ip any any
        which is allowing all traffic...... You need to remove this ASAP.

        thirdly, you have:

        Code:
        access-list outside_access_in extended permit tcp any host 192.168.0.13 eq www 
        access-list outside_access_in extended permit tcp any host 192.168.0.8 eq domain
        The above won't work so can be removed
        Code:
        access-list outside_access_in extended permit tcp any host 2xx.xx.xx.xx eq www 
        access-list outside_access_in extended permit tcp any host 2xx.xx.xx.xx eq domain 
        access-group outside_access_in in interface outside
        The above are correct and should allow HTTP and "TCP" DNS (which isn't lookups by the way as that is UDP).

        Below you have your static's which reference UDP DNS but the ACLs above don't.

        Code:
        static (inside,outside) tcp 2xx.xx.xx.xx www 192.168.0.13 www netmask 255.255.255.255 
        static (inside,outside) tcp 2xx.xx.xx.xx domain 192.168.0.8 domain netmask 255.255.255.255 
        static (inside,outside) udp 2xx.xx.xx.xx domain 192.168.0.8 domain netmask 255.255.255.255
        The above are "mapping" the public IP and different internal IP addresses (which is fine, just make sure they are the correct internal IP addresses).

        Code:
        static (outside,inside) tcp 192.168.0.8 domain 2xx.xx.xx.xx domain netmask 255.255.255.255 
        static (outside,inside) udp 192.168.0.8 domain 2xx.xx.xx.xx domain netmask 255.255.255.255 
        static (inside,outside) 2xx.xx.xx.xx 192.168.0.8 netmask 255.255.255.255
        You don't need these ones. Statics can be remembered like "static (inside,outside) outside inside". The last entry is a full IP to IP so you need to decide if you want to map the full IP to .0.8 in which case you can't map any specific ports elsewhere. I would remove these entries.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X