From outside to inside access ( number of static map)

Answered Question
Nov 16th, 2008
User Badges:

HI


I have two office A and B. A is head office where have 200 user and in B offcie has 300 user.

From A to B connect sceniro:


Boffice-Router-outsideFWinside-A office.


------------------

my Goal is all user From office B can access all PC in office A. As office A in behind ASA then I need 200 static Map.


As usual we do point to point static map.

its eassy for some of server or user pc.


As in my sceniro a lot of number pc access so its difficult configure 200 static map. so have any other way ?


Regrads

Biplob


Correct Answer by Mo'ath Al Rawashdeh about 8 years 7 months ago

on the firewall, please send me the output of "show logging | inc x"


where x is the IP address you are pinging from.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Mo'ath Al Rawashdeh Mon, 11/17/2008 - 01:23
User Badges:
  • Bronze, 100 points or more

Is there an ISP link between the two offices?


If yes, is there a VPN tunnel established between the two offices?


If yes, you may use NAT zero.

biplobkhan Mon, 11/17/2008 - 03:10
User Badges:

Hi


Thanks.

No ISP Link. Two office are connected via VSAT. no VPN tunnel between two office.


at present 5 sever are static map. but decession now that all pc of Office A are available for office B but its come throw firewall. so I need more 195 static map ?


thanks

Biplob


Mo'ath Al Rawashdeh Mon, 11/17/2008 - 03:26
User Badges:
  • Bronze, 100 points or more

not really. Use NAT zero and thats it.


But you have to modify your ACLs on the firewall as well to allow the traffic between the 2 offices.


Cheers.

biplobkhan Mon, 11/17/2008 - 22:38
User Badges:

Hi

I am confused. pls clear.


At present scenerio example:


pix outside IP: 192.168.10.1

pix inside IP : 192.168.40.10


ACL 101 permit tcp any any

ACL 101 permit Icmp any any


static( ouside, inside) 192.168.10.11 192.168.40.11 0 0


access-group 101 in interface outside.


**As from my office user not connect internet so nat configure in here.


As your suggation if I configure

nat (inside) 0 192.168.40.0 255.255.255.0

then i do not need any static map ????


office B ( 172.16.20.X) can access Office A (192.168.40.X) without any mapping ???.

and can ping direct 192.168.40.X ?


----can you give me a sample configure---


regrads

Biplob

Mo'ath Al Rawashdeh Tue, 11/18/2008 - 00:40
User Badges:
  • Bronze, 100 points or more

Hi Biplob,


yes, but don't use:

nat (inside) 0 192.168.40.0 255.255.255.0


since you still need traffic going from office A to the internet to be NATed.


So use an ACL like below:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0


nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE


The config above allows users in office A to connect to office B. For office B users to connect to office A users, use the config below:


access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0


nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.


* Please use the rating system once your problem is solved.


Thanks,


Moath.

biplobkhan Tue, 11/18/2008 - 01:15
User Badges:

Hi


If I understand then according to your summary:

office B(172.16.20.0)-FW-OfficeA(192.168.40.0)


Only B office user access to office A then:


access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0


nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.


B office user access to office A and also users of office A connect to Internet then:

-------------------------------------------


access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0


nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE


beside this i do not need any other config/


regrads

Biplob


Mo'ath Al Rawashdeh Tue, 11/18/2008 - 01:27
User Badges:
  • Bronze, 100 points or more

hi,


From office A to office B:


access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0


nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE


From office B to A:


access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0


nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.


Please configure all above to allow traffic from both offices.


"beside this i do not need any other config"


Please make sure that the traffic ACLs applied on the outside interface and inside interface (if any) allow the traffic between the 2 offices.

biplobkhan Tue, 11/18/2008 - 01:42
User Badges:

Hi


too much thanks. Now I am clear 90 %. now a little bit confution.


1. your last line tell --Please make sure that the traffic ACLs applied on the outside interface and inside interface --- by this line which you meaning ,--it is regrading access group applied interface ?

i don not need any access -group ?


2. you mention example

office A to office B:

office B to office A:

and Both.


but If I need additional that

office B to office A and office A connect to Internet. that means office A users also connect to internet then time what I do.


pls give me an example aditionaly. becuse I am worried that if I give no nat exclude 192.168.40.0 then no user of office A can not connect internet.


sorry for your time kill.


regrads

Biplob



Mo'ath Al Rawashdeh Tue, 11/18/2008 - 01:51
User Badges:
  • Bronze, 100 points or more

Hi,


1- traffic from outside to inside is denied by default, so you have to allow it in the acl applied on the outside interface.


permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0


2- The reason why we used an ACL in the NAT zero statement was to exclude only traffic between the 2 offices from getting NATed.


But there should be another NAT statement for traffic from office A in order to allow it internet access.


If you are confused, plz attach the firewall config to help you more.

biplobkhan Tue, 11/18/2008 - 02:16
User Badges:

dummy implement and give your result within some time

biplobkhan Tue, 11/18/2008 - 02:44
User Badges:

result is 0 . i send you the configation what i do. pls wait 5 min.

Mo'ath Al Rawashdeh Tue, 11/18/2008 - 03:29
User Badges:
  • Bronze, 100 points or more

Hi,


Show running access-group, then modify the ACL applied on the outside interface to allow office's B range to connect to office's A range.

biplobkhan Tue, 11/18/2008 - 04:11
User Badges:

Hi


I do additionaly


access-list 102 permit icmp any any

access-list 102 permit Ip any any

access-group 102 in interface outside

then also configure


access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.40.0 255.255.255.0


nat (outside) 0 access-list 101 [this line give warning]


regrads

Biplob





Correct Answer
Mo'ath Al Rawashdeh Tue, 11/18/2008 - 04:44
User Badges:
  • Bronze, 100 points or more

on the firewall, please send me the output of "show logging | inc x"


where x is the IP address you are pinging from.


Mo'ath Al Rawashdeh Tue, 11/18/2008 - 05:59
User Badges:
  • Bronze, 100 points or more

Hi,


Please remove the settings you applied and try these:


access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0


nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE


Cheers

biplobkhan Tue, 11/18/2008 - 23:17
User Badges:

Hi


Its a good news that your last pescription is right and I reach my destination goal and confused zero. before this test I know that out side user can access inside only by static map.


Too much thanks and warm regards to you for co-operation the test.

Be well and next time see you again.


regrads

Biplob


Actions

This Discussion