How can I let the inside stations access Internet with single Public IP?

Unanswered Question
Mar 11th, 2009

The IP Information of my network:

inside:192.168.0.0 255.255.255.128 when ASA5505 firewall with ip 192.168.0.1

outside: 2**.**.***.132 255.255.255.248

with 6 public IP useable(2**.**.***.129-2**.**.***.134).

When I use the default setting of ASA 5505 let all inside station access Internet with dynamic NAT; all inside station fail to access Internet. Then I static map 2**.**.***.130 to 192.168.0.81 for testing purpose. After that 192.168.0.81 can access Internet but other station in same network cannot access. So I wish to know how can I let other station access Internet with single Public IP.

It is my running config; Moreover I wish to know how to set the inside station can ping outside website(e.g. google):

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 2**.**.***.132 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list outside_access_in extended permit tcp any host 2**.**.***.130

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 2**.**.***.130 192.168.0.81 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2**.**.***.129 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.2-192.168.0.126 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9f57ff8d5541eac84ef9cabf4b39e3d3

: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 03/11/2009 - 04:43

The following 2 lines should allow your inside hosts access to the Internet -

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

How are you testing connecitvity ? - if it is with ping you will need to do further config ie.

access-list outside_access_in permit icmp any any echo-reply

access-group outside_access_in in interface outside

Jon

wongkw3008 Wed, 03/11/2009 - 19:42

>How are you testing connecitvity ?

I access www.google.com by IE for testing connectivity. But only 192.168.0.81 can access google and other stations in same subnet cannot.

Do I need to set the access rule let other stations can access Internet Web Page?

wongkw3008 Thu, 03/12/2009 - 21:28

Do I need to add this to allow Internet website access of other inside stations?

"access-list outside_access_in extended permit tcp any any "

or

"access-list outside_access_in extended permit tcp any host 2**.**.***.132 "

bjssccouser Fri, 03/13/2009 - 07:57

Hi,

The nat & global statements look ok, however, you've not assigned any ports to Vlan1 (the inside).

As with interface Ethernet0/0, you'll need to assign the other interfaces to vlan1 and to enable 'no shutdown'. Also ensure your default route is correct and the rest should be ok.

Thanks

connect2world Mon, 03/16/2009 - 23:58

Hi,

Please do a sh ver on your ASA5505.

Licensed features for this platform:

Inside Hosts : Unlimited

The above statement should show unlimited host, if your license is not unlimited, you will have a problem connecting to internet for some machine once the number of connection is used up.

wongkw3008 Tue, 03/17/2009 - 19:40

Yes!

I use sh ver to check and inside host is unlimited.

Inside station in my network with PAT still cannot connect to Internet. I attach the log file and see "Teardown dynamic TCP translation". Is my PAT setting failed?

(210.**.***.132 is outside interface IP)

6|Mar 18 2009|09:10:28|305012|192.168.0.72|1441|210.**.***.132|12299|Teardown dynamic TCP translation from inside:192.168.0.72/1441 to outside:210.**.***.132/12299 duration 0:01:00

Attachment: 
connect2world Wed, 03/18/2009 - 05:19

I am suspecting your access list is the cause.

This statement :

access-list outside_access_in extended permit tcp any host 2**.**.***.130, tell the ASA to only allow any incoming connection to ip 2**.**.***.130

Your static statement:

static (inside,outside) 2**.**.***.130 192.168.0.81 netmask 255.255.255.255, tell the ASA to direct any incoming from outside 2**.**.***.130 to only internal IP 192.168.0.81

Try this to verify:

Take out the access list statement by issuing this command:

no access-group outside_access_in in interface outside

Let me know if it works.

wongkw3008 Wed, 03/18/2009 - 20:45

Is it mean Dynamic NAT and static NAT cannot work together?

But I set static NAT due to test purpose because default setting cannot let inside stations access Internet. After I set the static NAT and access rule; 192.168.0.81 can access Internet that mean the route setting is correct.

connect2world Wed, 03/18/2009 - 22:21

I am not saying the static & dynamic can't work together. I am looking at the access-list being applied on the outside interface which is preventing all your clients from accessing the internet.

Please try removing the access list first , if that don't work you can always put the statement back.

wongkw3008 Thu, 03/19/2009 - 01:22

Do I need to set the inside route for Dynamic NAT work?

route inside 192.168.0.0 255.255.255.128 192.168.0.1 1

And anyone know what is the meaning of "teardown dynamic tcp translation from inside" in log file?

Actions

This Discussion