03-11-2009 03:06 AM - edited 03-04-2019 03:53 AM
The IP Information of my network:
inside:192.168.0.0 255.255.255.128 when ASA5505 firewall with ip 192.168.0.1
outside: 2**.**.***.132 255.255.255.248
with 6 public IP useable(2**.**.***.129-2**.**.***.134).
When I use the default setting of ASA 5505 let all inside station access Internet with dynamic NAT; all inside station fail to access Internet. Then I static map 2**.**.***.130 to 192.168.0.81 for testing purpose. After that 192.168.0.81 can access Internet but other station in same network cannot access. So I wish to know how can I let other station access Internet with single Public IP.
It is my running config; Moreover I wish to know how to set the inside station can ping outside website(e.g. google):
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 2**.**.***.132 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_access_in extended permit tcp any host 2**.**.***.130
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 2**.**.***.130 192.168.0.81 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2**.**.***.129 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.126 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9f57ff8d5541eac84ef9cabf4b39e3d3
: end
03-11-2009 04:43 AM
The following 2 lines should allow your inside hosts access to the Internet -
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
How are you testing connecitvity ? - if it is with ping you will need to do further config ie.
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
Jon
03-11-2009 07:42 PM
>How are you testing connecitvity ?
I access www.google.com by IE for testing connectivity. But only 192.168.0.81 can access google and other stations in same subnet cannot.
Do I need to set the access rule let other stations can access Internet Web Page?
03-12-2009 09:28 PM
Do I need to add this to allow Internet website access of other inside stations?
"access-list outside_access_in extended permit tcp any any "
or
"access-list outside_access_in extended permit tcp any host 2**.**.***.132 "
03-13-2009 07:57 AM
Hi,
The nat & global statements look ok, however, you've not assigned any ports to Vlan1 (the inside).
As with interface Ethernet0/0, you'll need to assign the other interfaces to vlan1 and to enable 'no shutdown'. Also ensure your default route is correct and the rest should be ok.
Thanks
03-16-2009 11:58 PM
Hi,
Please do a sh ver on your ASA5505.
Licensed features for this platform:
Inside Hosts : Unlimited
The above statement should show unlimited host, if your license is not unlimited, you will have a problem connecting to internet for some machine once the number of connection is used up.
03-17-2009 07:40 PM
Yes!
I use sh ver to check and inside host is unlimited.
Inside station in my network with PAT still cannot connect to Internet. I attach the log file and see "Teardown dynamic TCP translation". Is my PAT setting failed?
(210.**.***.132 is outside interface IP)
6|Mar 18 2009|09:10:28|305012|192.168.0.72|1441|210.**.***.132|12299|Teardown dynamic TCP translation from inside:192.168.0.72/1441 to outside:210.**.***.132/12299 duration 0:01:00
03-18-2009 05:19 AM
I am suspecting your access list is the cause.
This statement :
access-list outside_access_in extended permit tcp any host 2**.**.***.130, tell the ASA to only allow any incoming connection to ip 2**.**.***.130
Your static statement:
static (inside,outside) 2**.**.***.130 192.168.0.81 netmask 255.255.255.255, tell the ASA to direct any incoming from outside 2**.**.***.130 to only internal IP 192.168.0.81
Try this to verify:
Take out the access list statement by issuing this command:
no access-group outside_access_in in interface outside
Let me know if it works.
03-18-2009 08:45 PM
Is it mean Dynamic NAT and static NAT cannot work together?
But I set static NAT due to test purpose because default setting cannot let inside stations access Internet. After I set the static NAT and access rule; 192.168.0.81 can access Internet that mean the route setting is correct.
03-18-2009 10:21 PM
I am not saying the static & dynamic can't work together. I am looking at the access-list being applied on the outside interface which is preventing all your clients from accessing the internet.
Please try removing the access list first , if that don't work you can always put the statement back.
03-19-2009 01:22 AM
Do I need to set the inside route for Dynamic NAT work?
route inside 192.168.0.0 255.255.255.128 192.168.0.1 1
And anyone know what is the meaning of "teardown dynamic tcp translation from inside" in log file?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide