ASA5505 Traffic

Unanswered Question
Jan 11th, 2008
User Badges:

I want users on the inside 192.168.1.0 to access any resource on the outside 10.15.0.0 and then allow selective users on 10.15.0.0 to access resources on 192.168.1.0.


Is it possible to do it? Running config is as follows:


ASA Version 7.2(3)

!

hostname RRT

domain-name

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0


interface Vlan2

nameif outside

security-level 0

ip address 10.15.10.150 255.0.0.0


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7


passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 10.15.10.12 10.15.10.11

dhcpd wins 10.15.10.12 10.15.10.11

dhcpd domain

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside


class-map inspection_default

match default-inspection-traffic


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

ntp server 168.206.10.10 source outside prefer

prompt hostname context

Cryptochecksum:xxx

: end



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pjhenriqs Fri, 01/11/2008 - 05:45
User Badges:

Hi,


I am not sure I am understanding the problem correctly but at the moment you are NATing the inside network to the outside interface. By default all traffic from the inside to the outside is allowed by default.


To allow access from the outside to the inside you will have to do static NATs of the servers/machines you want to access.

For example:


static (inside,outside) 10.15.0.2 192.168.1.2 netmask 255.255.255.255 0 0


... and then allow the traffic you want to this 10.15.0.2 address:


access-list outside_access_in permit tcp any host 10.15.0.2 eq http


Hope this helps,

Paulo

Actions

This Discussion