translation issues

Unanswered Question
Mar 15th, 2007

Hello,

i've just started working with cisco pix firewalls. I currently have a question i need to ask regarding a client's requirement. There is a server behind the firewall with an outside address of 10.1.2.113 which resolves to 192.168.136.1 on the inside. Now he requested for them to be able to access that server from a box in another dmz (10.1.0.50). This has been done. The now is,...he claims he has a DNS server that that resolves a particular domain to 192.168.136.1, and for that reason, he's stuck. So he wants to be able to access the 192.168.136.1 address directly, rather than the 10.1.2.113. I honestly cant imagine how that can be possible, but i dont feel confident enough to tell him that. So i need for you guys to help me out here. Is it possible?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
achalante Thu, 03/15/2007 - 07:23

ASA Version 7.1(2)

!

names

name 192.168.136.1 FP1

name 192.168.136.3 FP2

name 192.168.136.5 EX1

name 192.168.136.7 EX2

name 10.1.2.113 FP1-external

name 10.1.2.114 FP2-external

name 192.168.0.10 TDA-Mimesweeper

name 192.168.136.33 TDA-D-directors-printer

name 192.168.136.6 EX1-KVMoverIP

name 192.168.136.8 EX2-KVMoverIP

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.2.112 255.255.255.0 standby 10.1.2.127

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.136.254 255.255.255.0 standby 192.168.136.253

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

speed 100

duplex full

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

passwd YgWfxiFVNRbXU0m1 encrypted

boot system disk0:/asa712-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name nrt.local

object-group network TDA-D-servers

network-object host EX2-external

object-group network TDA-D-servers_real

network-object EX2 255.255.255.255

object-group network TDA-domain-controllers

network-object host 10.1.0.25

network-object host 10.1.0.26

object-group network TDA-D-domain-controllers

network-object host FP1-external

network-object host FP2-external

object-group network TDA-internal-networks

network-object 10.1.0.0 255.255.0.0

network-object 10.2.0.0 255.255.0.0

achalante Thu, 03/15/2007 - 07:23

access-list outside extended permit tcp host lanz object-group TDA-D-servers eq 3389

access-list outside extended permit tcp host TDA-D-MailMarshal host EX1-external eq smtp

access-list outside extended permit tcp any host EX1-external eq www

access-list outside extended permit tcp any host EX1-external eq https

access-list outside extended permit tcp host TDA-Exchange host EX1-external eq smtp

access-list outside extended permit icmp host lanz object-group TDA-D-servers

access-list outside extended permit tcp host lanz host EX1-external eq smtp

access-list outside extended permit ip host lanz host 10.1.2.117

access-list outside extended permit ip host lanz host 10.1.2.118

access-list outside extended permit tcp host TDA-Mimesweeper host FP1-external eq 3268

access-list outside extended permit udp host TDA-Mimesweeper host FP1-external eq 3268

access-list outside extended permit tcp host TDA-Mimesweeper host FP2-external eq 3268

access-list outside extended permit udp host TDA-Mimesweeper host FP2-external eq 3268

access-list outside extended permit ip host TDA-Mimesweeper host FP1-external

access-list outside extended permit ip host TDA-Mimesweeper host FP2-external

access-list outside extended permit ip host 10.1.2.10 host FP1-external

access-list outside extended permit ip host 10.1.2.10 host FP2-external

access-list outside extended permit ip object-group TDA-domain-controllers object-group TDA-D-domain

-controllers

access-list outside extended permit ip host 192.168.0.11 host FP1-external

access-list outside extended permit ip host 192.168.0.11 host FP2-external

access-list outside extended permit tcp object-group TDA-internal-networks host FP1-external eq 445

access-list outside extended permit udp object-group TDA-internal-networks host FP1-external eq 445

access-list outside extended permit ip host 10.1.0.33 host 10.1.2.119

access-list outside extended permit ip host 10.1.0.33 host 10.1.2.120

access-list outside extended permit ip host 10.1.0.33 host FP1-external

access-list outside extended permit ip host 10.1.0.33 host FP2-external

access-list outside extended permit ip host 10.1.0.50 host FP1-external

access-list outside extended permit ip host 10.1.0.50 host EX1-external

access-list inside_nat0_outbound extended permit ip 192.168.136.0 255.255.255.0 192.168.138.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 192.168.136.0 255.255.255.0

access-list TTA_NRG_TG1_splitTunnelAcl standard permit 192.168.136.0 255.255.255.0

pager lines 24

logging trap debugging

logging asdm informational

logging host inside 192.168.136.141

logging host inside FP1

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool Tpool 192.168.138.1-192.168.138.254 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list

inside_nat0_outbound

nat (inside) 1 192.168.136.0 255.255.255.0

nat (inside) 1 192.168.137.0 255.255.255.0

static (inside,outside) FP1-external FP1 netmask 255.255.255.255

static (inside,outside) FP2-external FP2 netmask 255.255.255.255

static (inside,outside) EX1-external EX1 netmask 255.255.255.255

static (inside,outside) EX2-external EX2 netmask 255.255.255.255

static (inside,outside) 10.1.2.117 EX1-KVMoverIP netmask 255.255.255.255

static (inside,outside) 10.1.2.118 EX2-KVMoverIP netmask 255.255.255.255

static (inside,outside) 10.1.2.119 TDA-D-directors-printer netmask 255.255.255.255

static (inside,outside) 10.1.2.120 192.168.136.11 netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.2.1 1

route outside 10.1.0.0 255.255.0.0 10.1.2.6 1

route inside 192.168.137.0 255.255.255.0 192.168.136.250 1

vitripat Thu, 03/15/2007 - 09:41

Hi there ..

Let me rephrase the requirements:

- you have a server behind PIX 192.168.136.11, which is mapped to outside as 10.1.2.120

- currently everyone from outside can access the server using 10.1.2.120 IP address

- however you need that 10.1.0.0/24 network should be able to access the server using 192.168.136.11 IP address

Let me know if I'm on the right track. We can make it work using following commands-

-> access-list inside_nat0_outbound permit ip host 192.168.136.11 10.1.0.0 255.255.255.0

-> access-list outside permit ip 10.1.0.0 255.255.255.0 192.168.136.11

-> clear xlate

Let me know if this works.

Currently I have opened IP in the following acl, but you can lock it down as per your requirements:

access-list outside permit ip 10.1.0.0 255.255.255.0 192.168.136.11

Hope that helps.

Regards,

Vibhor.

Actions

This Discussion