03-14-2007 09:37 PM - edited 03-11-2019 02:46 AM
Hi, I'm trying to set up PAT on an ASA550 for host on the inside but I'm not able to. Here's my config. please help
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
names
name 192.168.1.10 WebServer description Inside Web Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service NetMeeting tcp
description NetMeeting Ports
port-object eq 1503
port-object eq 1731
port-object eq 522
port-object eq h323
port-object eq ldap
access-list outside_access_in extended permit tcp any host WebServer eq ftp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp WebServer ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
03-14-2007 11:10 PM
I see that you already have PAT setup for the inside segment based on these lines:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Are you able to ping the gateway from the client having the issues? (Make sure to enable ICMP for the inside interface "icmp permit any inside")Are you able to ping 4.2.2.2 from the host? Can you reach yahoo.com using it's IP on a broswer? (The IP is: 209.131.36.158)
03-15-2007 01:48 PM
please add :
interface Ethernet0/1
switchport access vlan1
hth
Sushil
03-15-2007 01:49 PM
oops.please make it
interface Ethernet0/1
switchport access Vlan1
:)
03-21-2007 10:08 AM
No matter how many times I attempt to run Switchport access Vlan1 it just simply does not stick! However this is the output of 'sh switch vlan':
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside up Et0/0
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.100.99.999 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
What's up with that?
03-21-2007 10:21 AM
Vlan 1 is the native vlan, by default all port are on vlan 1 unless they get assigned to other VLans and that's why when you assign a port to vlan 1 it does not show on config.
03-15-2007 09:33 PM
I configured the ICMP and it works, what I'm trying to do is to connect to my ftp server from outside. I have a daynamic IP which I get from my ISP, I have used PAT to translate the outside interface to my FTP serve and when I try this is what's logged by syslog
Denied by access-group "outside_access_in" [0x0, 0x0]
03-15-2007 03:58 PM
you have to add icmp to your inspection rules for ping to work. Also you have auto config on your dhcp scope without specifying a DNS server.. Try
dns domain-lookup outside
dns server-group group
name-server 4.2.2.1
03-21-2007 12:08 PM
You cannot refer to webserver in your acl by it's inside address. (192.168.1.10)
access-list outside_access_in extended permit tcp any host WebServer eq ftp
should be...
access-list outside_access_in extended permit tcp any interface outside eq ftp
please rate if it helped
03-22-2007 05:56 AM
Do your clients not get assigned an IP address? Is the DHCPclient service ON? Is the firewall OFF? Any IPsec on windows clients?
What is sh xlate , sh conn showing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: