11-16-2008 11:27 PM - edited 03-11-2019 07:13 AM
HI
I have two office A and B. A is head office where have 200 user and in B offcie has 300 user.
From A to B connect sceniro:
Boffice-Router-outsideFWinside-A office.
------------------
my Goal is all user From office B can access all PC in office A. As office A in behind ASA then I need 200 static Map.
As usual we do point to point static map.
its eassy for some of server or user pc.
As in my sceniro a lot of number pc access so its difficult configure 200 static map. so have any other way ?
Regrads
Biplob
Solved! Go to Solution.
11-18-2008 04:44 AM
on the firewall, please send me the output of "show logging | inc x"
where x is the IP address you are pinging from.
11-17-2008 01:23 AM
Is there an ISP link between the two offices?
If yes, is there a VPN tunnel established between the two offices?
If yes, you may use NAT zero.
11-17-2008 03:10 AM
Hi
Thanks.
No ISP Link. Two office are connected via VSAT. no VPN tunnel between two office.
at present 5 sever are static map. but decession now that all pc of Office A are available for office B but its come throw firewall. so I need more 195 static map ?
thanks
Biplob
11-17-2008 03:26 AM
not really. Use NAT zero and thats it.
But you have to modify your ACLs on the firewall as well to allow the traffic between the 2 offices.
Cheers.
11-17-2008 10:38 PM
Hi
I am confused. pls clear.
At present scenerio example:
pix outside IP: 192.168.10.1
pix inside IP : 192.168.40.10
ACL 101 permit tcp any any
ACL 101 permit Icmp any any
static( ouside, inside) 192.168.10.11 192.168.40.11 0 0
access-group 101 in interface outside.
**As from my office user not connect internet so nat configure in here.
As your suggation if I configure
nat (inside) 0 192.168.40.0 255.255.255.0
then i do not need any static map ????
office B ( 172.16.20.X) can access Office A (192.168.40.X) without any mapping ???.
and can ping direct 192.168.40.X ?
----can you give me a sample configure---
regrads
Biplob
11-18-2008 12:40 AM
Hi Biplob,
yes, but don't use:
nat (inside) 0 192.168.40.0 255.255.255.0
since you still need traffic going from office A to the internet to be NATed.
So use an ACL like below:
access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0
nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE
The config above allows users in office A to connect to office B. For office B users to connect to office A users, use the config below:
access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.
* Please use the rating system once your problem is solved.
Thanks,
Moath.
11-18-2008 01:15 AM
Hi
If I understand then according to your summary:
office B(172.16.20.0)-FW-OfficeA(192.168.40.0)
Only B office user access to office A then:
access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.
B office user access to office A and also users of office A connect to Internet then:
-------------------------------------------
access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0
nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE
beside this i do not need any other config/
regrads
Biplob
11-18-2008 01:27 AM
hi,
From office A to office B:
access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0
nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE
From office B to A:
access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.
Please configure all above to allow traffic from both offices.
"beside this i do not need any other config"
Please make sure that the traffic ACLs applied on the outside interface and inside interface (if any) allow the traffic between the 2 offices.
11-18-2008 01:42 AM
Hi
too much thanks. Now I am clear 90 %. now a little bit confution.
1. your last line tell --Please make sure that the traffic ACLs applied on the outside interface and inside interface --- by this line which you meaning ,--it is regrading access group applied interface ?
i don not need any access -group ?
2. you mention example
office A to office B:
office B to office A:
and Both.
but If I need additional that
office B to office A and office A connect to Internet. that means office A users also connect to internet then time what I do.
pls give me an example aditionaly. becuse I am worried that if I give no nat exclude 192.168.40.0 then no user of office A can not connect internet.
sorry for your time kill.
regrads
Biplob
11-18-2008 01:51 AM
Hi,
1- traffic from outside to inside is denied by default, so you have to allow it in the acl applied on the outside interface.
permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0
2- The reason why we used an ACL in the NAT zero statement was to exclude only traffic between the 2 offices from getting NATed.
But there should be another NAT statement for traffic from office A in order to allow it internet access.
If you are confused, plz attach the firewall config to help you more.
11-18-2008 02:04 AM
ok , i checkout this.
11-18-2008 02:06 AM
lol... Check out what?
11-18-2008 02:16 AM
dummy implement and give your result within some time
11-18-2008 02:26 AM
Dummy results, plz check below ;) cheers mate
11-18-2008 02:44 AM
result is 0 . i send you the configation what i do. pls wait 5 min.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide