08-25-2008 12:26 AM - edited 03-11-2019 06:35 AM
Hi,
I am looking to map one of the internal host to public ip.
Statically natted the internal ip with public ip.somehow no luck accessing the host publically.inernet working perfectly with PAT.
Find attached the running config and suggest what all i am missing.
Reg,
Sushil
08-25-2008 05:22 AM
try it like this
static (inside,outside) interface 192.168.0.10 netmask 255.255.255.255
if didnt work keep it like this and change the ACL to
access-list outside_in extended permit tcp any interface outside
if u want to make the nat to static pat for example ony map http do it like
static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255
and in ur ACL permit only 80
add a line for each additional port u want
this is optional
good luck
please, if helpful Rate
08-25-2008 06:01 AM
Marwan here I have three additional ip's in addition to what is there on outside interface.
So All interanl host PATTED to public ip say 1.1.1.1 using global command.
Now say there are three additional pub ip's 1.1.1.2 1.1.1.3 and 1.1.1.4,which are to be accessed from outside.So want to statically nat with 192.168.0.10 ,192.168.0.20 and 192.168.0.30 respectibly.
In your above config not able to understnad what will the (inside,outside) interface 192.168.0.10 will do?
And why to change acl extended permit tcp any interface outside?
Here need some more suggestion should i upgrade the ios.Presently running 7.0.
08-25-2008 07:03 AM
ok now the view is diffrent
i meant with interface that to use the one public ip which is the one applied to ur outside interface
but as u updated to me u have several IPs
so u just need to do like
static( inside, outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255
static( inside, outside) 1.1.1.3 192.168.0.20 netmask 255.255.255.255
static( inside, outside) 1.1.1.4 192.168.0.30 netmask 255.255.255.255
in ur ACL u can be spicific to allow only spesific ports to each sever but for the example i will allow any ip connection
access-list 100 permit ip any host 1.1.1.2
access-list 100 permit ip any host 1.1.1.3
access-list 100 permit ip any host 1.1.1.4
access-group in interface outside
good luck
if helpful rate
08-26-2008 01:48 AM
It is somehow not working.Once I add static command the internet on particular internal ip i.e 192.168.0.10 also stops working.If I remove that it works perfectly.See the config below I configured;
ASA Version 8.0(3)
!
hostname ciscoasa
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.0.0
!
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
boot system disk0:/asa803-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 122.160.77.125
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
Reg,
Sushil
08-26-2008 05:18 AM
what r those IPs
access-list outside_in extended permit tcp any host 122.160.77.125
static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255
i mean 1.1.1.2 and 122.160.77.125
the public ip should be instead of the 1.1.1.2 and also places in ur outside ACL permit!!
08-26-2008 05:38 AM
Sorry typo mistake.
It is 1.1.1.2 indeed.
Don't know why I am not this get working at all..
Any suggestion/troubleshooting tip?
08-26-2008 05:44 AM
ok just make it as i told and as u have done
with the right ACL
like
static(inside, outside) [ur public IP] [internal ip] netmask 255.255.255.255
access-list 100 permit ip any host [the public ip in the nat]
access-group 100 in interface outside
then do the following to get the ASA update the NAT:
clear xalte
then RELOAD ur ASA
then test it and tell me :)
good luck
good luck
08-27-2008 11:18 PM
Even doing clear xlate and arp its not coming up.
Does there any difference going for standard or extended acl.
Frustrating...
Any other pointer you can give.
08-28-2008 02:23 AM
try to reaload please
08-28-2008 02:23 AM
try to reload please
08-30-2008 08:30 AM
Hi Sushil,
I have not gone through the complete forum but i understand you are mapping an internal machine with public ip address and you are able to access that machine from internet.
I have looked at the configuration it looks gud .. you have configuration of something like:-
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.0.0
static (inside,outside) 1.1.1.2 192.168.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
access-list outside_in extended permit tcp any host 122.160.77.125
You forgot the change the ip address on access-list therefore i believe your real public ip address is 122.160.77.125
Now, we need to concentrate on below 3 lines
static (inside,outside) 122.160.77.125 192.168.0.10 netmask 255.255.255.255
access-group outside_in in interface outside
access-list outside_in extended permit tcp any host 122.160.77.125
Now,on internet people will hit 122.160.77.125 to access 192.168.0.10
Configuration is gud ..please look for following:-
* What is the default gateway of machine 192.168.0.10. It should be inside interface of the firewall which is 192.168.0.1.
If default gateway is incorrect .. when users from internet try to access 192.168.0.10 then reply to its dafault gateway ..
* See if the 192.168.0.10 can ping inside interface of firewall or not. With this we will be able narrowdown that our internal networking is fine.
* If above settings are fine and still its not working then pls collect the real time logs on ASA and you will get the clue
Whether issue is internet or somewhere on inside.
Logs will let you now whether.. user from internet are able to hit the public ip address of the machine 192.168.0.10.
If you are able to get any clue .. pls upload the logs .. i will check it for you.
Regards,
Manjeet
Hope this helps. Rate if works
09-01-2008 03:55 AM
Hi Manjeet,
The default gateway is indeed the int interface of the firewall.
Yes I can ping the internal interface of the firewall from the 192.168.0.10.
This Machine is not able to go to the internet once a configure static entry with the 192.168.0.10.
I will collect the logs and will let you know.
Reg,
Sushil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: