cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
5
Helpful
22
Replies

From outside to inside access ( number of static map)

biplobkhan
Level 1
Level 1

HI

I have two office A and B. A is head office where have 200 user and in B offcie has 300 user.

From A to B connect sceniro:

Boffice-Router-outsideFWinside-A office.

------------------

my Goal is all user From office B can access all PC in office A. As office A in behind ASA then I need 200 static Map.

As usual we do point to point static map.

its eassy for some of server or user pc.

As in my sceniro a lot of number pc access so its difficult configure 200 static map. so have any other way ?

Regrads

Biplob

1 Accepted Solution

Accepted Solutions

on the firewall, please send me the output of "show logging | inc x"

where x is the IP address you are pinging from.

View solution in original post

22 Replies 22

Is there an ISP link between the two offices?

If yes, is there a VPN tunnel established between the two offices?

If yes, you may use NAT zero.

Hi

Thanks.

No ISP Link. Two office are connected via VSAT. no VPN tunnel between two office.

at present 5 sever are static map. but decession now that all pc of Office A are available for office B but its come throw firewall. so I need more 195 static map ?

thanks

Biplob

not really. Use NAT zero and thats it.

But you have to modify your ACLs on the firewall as well to allow the traffic between the 2 offices.

Cheers.

Hi

I am confused. pls clear.

At present scenerio example:

pix outside IP: 192.168.10.1

pix inside IP : 192.168.40.10

ACL 101 permit tcp any any

ACL 101 permit Icmp any any

static( ouside, inside) 192.168.10.11 192.168.40.11 0 0

access-group 101 in interface outside.

**As from my office user not connect internet so nat configure in here.

As your suggation if I configure

nat (inside) 0 192.168.40.0 255.255.255.0

then i do not need any static map ????

office B ( 172.16.20.X) can access Office A (192.168.40.X) without any mapping ???.

and can ping direct 192.168.40.X ?

----can you give me a sample configure---

regrads

Biplob

Hi Biplob,

yes, but don't use:

nat (inside) 0 192.168.40.0 255.255.255.0

since you still need traffic going from office A to the internet to be NATed.

So use an ACL like below:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

The config above allows users in office A to connect to office B. For office B users to connect to office A users, use the config below:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

* Please use the rating system once your problem is solved.

Thanks,

Moath.

Hi

If I understand then according to your summary:

office B(172.16.20.0)-FW-OfficeA(192.168.40.0)

Only B office user access to office A then:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

B office user access to office A and also users of office A connect to Internet then:

-------------------------------------------

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

beside this i do not need any other config/

regrads

Biplob

hi,

From office A to office B:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

From office B to A:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

Please configure all above to allow traffic from both offices.

"beside this i do not need any other config"

Please make sure that the traffic ACLs applied on the outside interface and inside interface (if any) allow the traffic between the 2 offices.

Hi

too much thanks. Now I am clear 90 %. now a little bit confution.

1. your last line tell --Please make sure that the traffic ACLs applied on the outside interface and inside interface --- by this line which you meaning ,--it is regrading access group applied interface ?

i don not need any access -group ?

2. you mention example

office A to office B:

office B to office A:

and Both.

but If I need additional that

office B to office A and office A connect to Internet. that means office A users also connect to internet then time what I do.

pls give me an example aditionaly. becuse I am worried that if I give no nat exclude 192.168.40.0 then no user of office A can not connect internet.

sorry for your time kill.

regrads

Biplob

Hi,

1- traffic from outside to inside is denied by default, so you have to allow it in the acl applied on the outside interface.

permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

2- The reason why we used an ACL in the NAT zero statement was to exclude only traffic between the 2 offices from getting NATed.

But there should be another NAT statement for traffic from office A in order to allow it internet access.

If you are confused, plz attach the firewall config to help you more.

ok , i checkout this.

lol... Check out what?

dummy implement and give your result within some time

Dummy results, plz check below ;) cheers mate

result is 0 . i send you the configation what i do. pls wait 5 min.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: