can not get nat to work with asa5505

Unanswered Question
Nov 17th, 2008
User Badges:

Hello everyone,


I have been busy for a few day to try to set up the NAT with asa5505.Please see the attachtment for the configuration of the modem and the asa.

Hopefully someone can help me out.

Thanks in advance.


Peter




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 11/17/2008 - 12:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Peter


Your going to have to tell us what you are trying to setup in terms of NAT and what is not working.


Jon

John Blakley Mon, 11/17/2008 - 13:24
User Badges:
  • Purple, 4500 points or more

I looked at your config and I'm assuming a couple of things (because this is the way that I have it set up at my house).


You have a router in front of the ASA, and you want your ASA to filter traffic that comes in from the router, so you have something like this:



Host --> ASA --> Router --> DSL --> Internet


IF I'm right, then I would suggest not natting at all. Your inside interface on the router is:


192.168.2.254 and your public interface on the ASA is 192.168.2.250.


Make sure that you can ping your router from the ASA:


ping outside 192.168.2.254


If you do that, then in your NAT configuration on the ASA:


no global (outside) 1 interface

no nat (inside) 1 0 0


You should be able to ping from an inside host out. Your route is set up correctly from the ASA.


If this ISN'T what you are needing, then yeah, you should let us know like Jon requested. :-)


Thanks,


John

rijperwaard Sat, 11/22/2008 - 06:18
User Badges:

Hello John,


Thanks for your reply.

I can internet from any hosts behind the inside interface of asa. The problem is:

behind the inside interface there is a terminal server. The terminal users have to log on to it from anywhere. I can not fix it out how/where i should place the translation rule.


Hopefully you can help me out.


Thanks in advance.


Peter

John Blakley Sat, 11/22/2008 - 06:33
User Badges:
  • Purple, 4500 points or more

Try this:


static (inside,outside) interface netmask 255.255.255.255


On your public ACL:


permit tcp any interface outside eq 3389


What this does is tell the ASA to use the outside interface IP address as the public IP. In the public ACL, you're allowing anyone to come into the public IP address on port 3389 (terminal services). If you have a block of ip addresses, you can give any one of your addresses out of that block an assignment and forget about the "interface" keyword. In the following example, 9.9.9.9 is the public ip address.


static (inside,outside) 9.9.9.9 (private ip) netmask 255.255.255.255


In public ACL:


permit tcp any host 9.9.9.9 eq 3389


Once you complete this, clear your translate table for it to take effect:


clear xlate


HTH,


John

John Blakley Sat, 11/22/2008 - 07:44
User Badges:
  • Purple, 4500 points or more

I'm not sure if this will work, but try the following:


On the router:


ip access-list ext EXTERNAL

permit tcp any any eq 3389


route-map TS permit 5

match ip address EXTERNAL

set ip next-hop 192.168.2.250


I'm not GREAT with policy maps, so I'd be interested in seeing if this works. How are you trying to get to the terminal server?


--John

John Blakley Sat, 11/22/2008 - 07:58
User Badges:
  • Purple, 4500 points or more

I forgot to mention that you need to apply this policy map to the outside interface on your router:


int dialer0

ip policy route-map TS

exit


--John

rijperwaard Sat, 11/22/2008 - 08:02
User Badges:

no, it's still not working.


I use RDP to connect the terminal server.


Peter

John Blakley Sat, 11/22/2008 - 08:16
User Badges:
  • Purple, 4500 points or more

Do you have a topology diagram or something that you can draw up quickly? Where are you in relation to the terminal server? Are you in front of the router or behind the ASA?


host -> router -> asa -> terminal server


router -> host -> asa -> terminal server


router -> asa -> host -> ts


--John

rijperwaard Sat, 11/22/2008 - 09:13
User Badges:

Still not working.


The terminal server is behind the asa. It looks like:

dsl->router(dialer interface, 192.168.2.254)->asa(outside[192.168.2.250],inside[192.168.1.1]->host (ts)


Peter

John Blakley Sat, 11/22/2008 - 09:16
User Badges:
  • Purple, 4500 points or more

Where are you at in the picture? On the DSL side going into the network, or ASA side going out?


--John

rijperwaard Sat, 11/22/2008 - 09:44
User Badges:

The problem is on the DSL side going into the network.


By the way, inside out everything is ok.


peter

John Blakley Sat, 11/22/2008 - 10:23
User Badges:
  • Purple, 4500 points or more

Understood. You won't be able to test this from behind the ASA. In other words, if your connected to a switch or directly to the ASA, you can't go out to the internet and back into your public interface to test it; it won't work. You'll need to do this from another computer that's completely outside of your network.


That said, can you do a sh ip nat trans on the router, and a sh xlate on the ASA and post the results back. Again, if you're trying to test it from within your network and coming back in, it won't work.



rijperwaard Sat, 11/22/2008 - 14:41
User Badges:

Hello John,


Thanks for all your help and time.

I got the problem resolved. I did two things wrong. The first one was the access rule in asa, the second was the translation rule in the router.

Now the asa is working. The next step is try to get the vpn working.

Thanks again.


Peter


rijperwaard Sat, 11/22/2008 - 06:28
User Badges:

That is right, Jon.

NAT is working. Anyone can get access to the internet behind the inside interface of asa.

The problem is the translation rule. Behind the inside interface ther is a terminal server. I have no idee how/where i should configure the translation rule.


interface cisco 837

outside: 1.2.3.4

inside: 192.168.2.254

ip route 0.0.0.0 0.0.0.0 dialer0

Nat: interface dialer0


Interface asa5505

outside: 192.168.2.250

inside: 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.2.250

no nat


Thanks

Actions

This Discussion