Announcement

Collapse
No announcement yet.

Cisco ASA Nat

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA Nat

    Hi

    I need some help with this ASA 5510.
    I can access the internet from internal but NAT is not working.
    Need to have the public access our web servers.

    What am I doing wrong here.

    internal net: 192.168.7.0 / 255.255.255.0
    external net: xx.xx.150.2 - xx.xx.150.6 (thats 5 external IPs)
    GW: xx.xx.150.1

    Thanks in advance everyone!
    Mike

    Code:
    dns-guard
    !
    interface Ethernet0/0
     nameif outside
     security-level 0
     ip address xx.xx.150.6 255.255.255.248
    !
    interface Ethernet0/1
     nameif inside
     security-level 100
     ip address 192.168.7.254 255.255.255.0
    !
    interface Ethernet0/2
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management0/0
     shutdown
     no nameif
     no security-level
     no ip address
     management-only
    !
    
    ftp mode passive
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit tcp any host xx.xx.150.6 eq www
    access-list outside_access_in extended permit tcp any host xx.xx.150.5 eq www
    access-list outside_access_in extended permit tcp any host xx.xx.150.4 eq www
    access-list outside_access_in extended permit tcp any host xx.xx.150.4 eq https
    
    global (outside) 1 xx.xx.150.2
    nat (inside) 1 0.0.0.0 0.0.0.0
    
    static (inside,outside) tcp xx.xx.150.6 www 192.168.7.250 www netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.150.5 www 192.168.7.250 www netmask 255.255.255.255
    static (inside,outside) xx.xx.150.4 192.168.7.250 netmask 255.255.255.255
    
    access-group outside_access_in in interface outside
    
    route outside 0.0.0.0 0.0.0.0 xx.xx.150.1 1
    
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.7.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet Maker 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map global_policy
     class inspection_default
      inspect dns maximum-length 512
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    !
    service-policy global_policy global
    Cryptochecksum:2949e8f4abd9bb288b5df85ea8bc9c73
    : end

  • #2
    Re: Cisco ASA Nat

    You can't map two public IP's to the same internal server for a single port plus you have also then mapped the same internal server completely to another IP.

    Code:
    static (inside,outside) tcp xx.xx.150.6 www 192.168.7.250 www netmask 255.255.255.255
    static (inside,outside) tcp xx.xx.150.5 www 192.168.7.250 www netmask 255.255.255.255
    static (inside,outside) xx.xx.150.4 192.168.7.250 netmask 255.255.255.255
    Which public IP do you want this server to be published? Is it only going to publish web services?

    If we use .4 as an example then you would only need these for publishing www and https on that IP.

    Code:
    static (inside,outside) xx.xx.150.4 192.168.7.250 netmask 255.255.255.255
    access-list outside_access_in extended permit tcp any host xx.xx.150.4 eq www
    access-list outside_access_in extended permit tcp any host xx.xx.150.4 eq https
    access-group outside_access_in in interface outside
    The above is mapping every port (for want of a better explanation) so you could add additional lines to the ACL and allow port 25 etc and they would also work.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco ASA Nat

      Hi Andy, thanks for the quick reply.

      I got it working a few hours ago. Yes I do need bigger glasses.

      .5 and .6 suppose to go to .251 and .252 for www

      I also change
      Code:
      global (outside) 1 interface
      and
      Code:
      static (inside,outside) tcp interface www 192.168.7.252 www netmask 255.255.255.255
      Great explaination on the NAT & PAT btw, and thanks again for pointing out my stupid mistake.

      Mike

      Comment


      • #4
        Re: Cisco ASA Nat

        No probs, thanks for posting back your fix.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X