Public ip on internal network

sushil · ‎08-25-2008

Hi,

I am looking to map one of the internal host to public ip.

Statically natted the internal ip with public ip.somehow no luck accessing the host publically.inernet working perfectly with PAT.

Find attached the running config and suggest what all i am missing.

Reg,

Sushil

Marwan ALshawi · ‎08-25-2008

try it like this

static (inside,outside) interface 192.168.0.10 netmask 255.255.255.255

if didnt work keep it like this and change the ACL to

access-list outside_in extended permit tcp any interface outside

if u want to make the nat to static pat for example ony map http do it like

static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255

and in ur ACL permit only 80

add a line for each additional port u want

this is optional

good luck

please, if helpful Rate

sushil · ‎08-25-2008

Marwan here I have three additional ip's in addition to what is there on outside interface.

So All interanl host PATTED to public ip say 1.1.1.1 using global command.

Now say there are three additional pub ip's 1.1.1.2 1.1.1.3 and 1.1.1.4,which are to be accessed from outside.So want to statically nat with 192.168.0.10 ,192.168.0.20 and 192.168.0.30 respectibly.

In your above config not able to understnad what will the (inside,outside) interface 192.168.0.10 will do?

And why to change acl extended permit tcp any interface outside?

Here need some more suggestion should i upgrade the ios.Presently running 7.0.

Marwan ALshawi · ‎08-25-2008

ok now the view is diffrent

i meant with interface that to use the one public ip which is the one applied to ur outside interface

but as u updated to me u have several IPs

so u just need to do like

static( inside, outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255

static( inside, outside) 1.1.1.3 192.168.0.20 netmask 255.255.255.255

static( inside, outside) 1.1.1.4 192.168.0.30 netmask 255.255.255.255

in ur ACL u can be spicific to allow only spesific ports to each sever but for the example i will allow any ip connection

access-list 100 permit ip any host 1.1.1.2

access-list 100 permit ip any host 1.1.1.3

access-list 100 permit ip any host 1.1.1.4

access-group in interface outside

good luck

if helpful rate

sushil · ‎08-26-2008

It is somehow not working.Once I add static command the internet on particular internal ip i.e 192.168.0.10 also stops working.If I remove that it works perfectly.See the config below I configured;

ASA Version 8.0(3)

!

hostname ciscoasa

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.0.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host 122.160.77.125

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255

access-group outside_in in interface outside

Reg,

Sushil

Marwan ALshawi · ‎08-26-2008

what r those IPs

access-list outside_in extended permit tcp any host 122.160.77.125

static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255

i mean 1.1.1.2 and 122.160.77.125

the public ip should be instead of the 1.1.1.2 and also places in ur outside ACL permit!!

sushil · ‎08-26-2008

Sorry typo mistake.

It is 1.1.1.2 indeed.

Don't know why I am not this get working at all..

Any suggestion/troubleshooting tip?

Marwan ALshawi · ‎08-26-2008

ok just make it as i told and as u have done

with the right ACL

like

static(inside, outside) [ur public IP] [internal ip] netmask 255.255.255.255

access-list 100 permit ip any host [the public ip in the nat]

access-group 100 in interface outside

then do the following to get the ASA update the NAT:

clear xalte

then RELOAD ur ASA

then test it and tell me :)

good luck

sushil · ‎08-27-2008

Even doing clear xlate and arp its not coming up.

Does there any difference going for standard or extended acl.

Frustrating...

Any other pointer you can give.

Marwan ALshawi · ‎08-28-2008

try to reaload please

Marwan ALshawi · ‎08-28-2008

try to reload please

manjesin · ‎08-30-2008

Hi Sushil,

I have not gone through the complete forum but i understand you are mapping an internal machine with public ip address and you are able to access that machine from internet.

I have looked at the configuration it looks gud .. you have configuration of something like:-

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.0.0

static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255

access-group outside_in in interface outside

access-list outside_in extended permit tcp any host 122.160.77.125

You forgot the change the ip address on access-list therefore i believe your real public ip address is 122.160.77.125

Now, we need to concentrate on below 3 lines

static (inside,outside) 122.160.77.125 192.168.0.10 netmask 255.255.255.255

access-group outside_in in interface outside

access-list outside_in extended permit tcp any host 122.160.77.125

Now,on internet people will hit 122.160.77.125 to access 192.168.0.10

Configuration is gud ..please look for following:-

* What is the default gateway of machine 192.168.0.10. It should be inside interface of the firewall which is 192.168.0.1.

If default gateway is incorrect .. when users from internet try to access 192.168.0.10 then reply to its dafault gateway ..

* See if the 192.168.0.10 can ping inside interface of firewall or not. With this we will be able narrowdown that our internal networking is fine.

* If above settings are fine and still its not working then pls collect the real time logs on ASA and you will get the clue

Whether issue is internet or somewhere on inside.

Logs will let you now whether.. user from internet are able to hit the public ip address of the machine 192.168.0.10.

If you are able to get any clue .. pls upload the logs .. i will check it for you.

Regards,

Manjeet

Hope this helps. Rate if works

sushil · ‎09-01-2008

Hi Manjeet,

The default gateway is indeed the int interface of the firewall.

Yes I can ping the internal interface of the firewall from the 192.168.0.10.

This Machine is not able to go to the internet once a configure static entry with the 192.168.0.10.

I will collect the logs and will let you know.

Reg,

Sushil