cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20865
Views
10
Helpful
21
Replies

ASA 5510 with Static NAT

psaravanan
Level 1
Level 1

Hi friends,

I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).

Inside ------------------------> ASA 5510 -----------------> 1800 router  ------>  outside

192.168.10.0/24    .254            10.1.1.253/30     .254/30            218.X.X.177

Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.

then i want to allow FTP, Telnet, Remote desktop, http, https also.

static (inside, outside) tcp 218.X.X.180 192.168.10.200 netmask 255.255.255.255


i want to access 192.168.10.200, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.

Router config

interface FastEthernet0/0
ip address 218.X.X.177 255.255.255.240
ip access-group 102 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.252
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.X.X.178
ip route 192.168.10.0 255.255.255.0 10.1.1.253
!
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask 255.255.255.240
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 192.168.10.114 218.X.X.184
ip nat inside source static 192.168.10.115 218.X.X.185
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.0.0 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 127.0.0.0 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip 169.254.0.0 0.0.255.255 any
access-list 102 deny   ip 192.0.2.0 0.0.0.255 any
access-list 102 deny   ip 204.152.64.0 0.0.0.1 any
access-list 102 deny   ip 224.0.0.0 31.255.255.255 any
access-list 102 deny   icmp any any
access-list 102 deny   tcp any any eq ident
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 447
access-list 102 deny   tcp any any eq 81
access-list 102 deny   tcp any any eq 135
access-list 102 deny   tcp any any eq 444
access-list 102 deny   tcp any any eq 445
access-list 102 permit ip any any

ASA Config

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.1.1.253 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
ftp mode passive
access-list BROWSING extended permit ip 192.168.10.0 255.255.255.0 any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group INTERNET in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.254 1
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5

21 Replies 21

Kureli Sankar
Cisco Employee
Cisco Employee

On the ASA do the following:

1. add nat exemption with an ACL. Deny this one host 192.168.10.200 going any where and permit the rest in the acl.

2. remove the identity static line

static (inside,OUTSIDE) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

and

3. add this static line static (inside, outside)  218.X.X.180 192.168.10.200 netmask 255.255.255.255 or as static pat

static (inside, outside) tcp 218.X.X.180 21 192.168.10.200 21 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 23 192.168.10.200 23 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 3389 192.168.10.200 3389 netmask 255.255.255.255

static (inside, outside) tcp 218.X.X.180 443 192.168.10.200 443 netmask 255.255.255.255

4. On the router remove 218.X.X.180 from the pool.

Honestly I would either move all the translation onto the ASA or leave it on the Router.  You are trying to leave dynamic NAT on the router and move the static NAT onto the ASA.

-KS

thanks for your reply,

I already tried to remove the 218.X.X.180 pool from the router, then the internet connection is not reach to my ASA.

then I tried the following command in the router.

ip nat inside 192.168.10.0 255.255.255.0

ip global outside interface.

This command also not working in the router (not able to connect the internet).

Saravanan,

Pls. let us know once you complete all the steps that I listed.

You need to overload it to the outside interface IP address if that is the only address in the pool

ip nat inside source list 101 interface FastEthernet0/0 overload

Once done, get the output of "sh xlate debug | i 192.168.1.200 and make sure the ASA is translating the address properly.

-KS

hi frnds,

I already tried the below configuration, but it's not working.

Router config:

i removed the pool, then put fastethernet with overload

ip nat inside source list 101 interface fastethernet 0/1 overload

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

Then in ASA 5510 side

I create static NAT,

static(inside,outside) 218.X.X.181 tcp 21 192.168.10.111 tcp 21 netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp 23 192.168.10.111 tcp 23 netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp http 192.168.10.111 tcp http netmask 255.255.255.255

static(inside,outside) 218.X.X.181 tcp https 192.168.10.111 tcp https netmask 255.255.255.255

static(inside,outside) 218.X.X.182 192.168.10.112 netmask 255.255.255.255

even though i can't able to connect from outside.

pls help me ya.

Hi ,

I saw so many ACLs in the  1800 routers, it seems performing the firewall function. and also you have asa. I am thinking is the architecture appropriate ?

Regards,

Yang

keisikka
Level 1
Level 1

Hi Buddy,

Please take care your routing information.

THX

Keisikka

hi frnds,

tell the right solution, i want to enable the particular outside ip to permit in my router, is it ok or not

Saravanan,

If I remember right you were going to remove the IP from the pool on the router and use the interface to PAT and do static translation on the ASA.

You need to verify the following.

1. static pat tranlation is working on the ASA. "sh xlate debug | i 192.168.10.200"

2. The router will send packets to the ASA for this particular IP address.

3. Collect captures on the ASA to see if packets are arriving.

4. check the logs on the ASA to see what they may be revealing.

5. most of all the acl applied on the outside interface of the ASA is allowing this traffic.

Pls. remember to verify the following for all flows through the firewall.

Route

Translation

Permission

-KS

How do you expect the ASA to do statics for the outside IP's when they exists infront of the 1800? No packets will reach the ASA with destination containing those addresses. The traffic will stop in your router because it is doing NAT. Why don't you just put the router and the ASA on the same segment. I don't see any reason to why you're doing it like you're doing.

It is very much possible to do what Saravanan is trying to accomplish provided he configures the ASA and router properly.

Pls. also make sure that this traffic (static pat) is exempted in the nat overload list that you have added on the router. You need a deny before the permit.

-KS

saravanan,

Why dont you simplify your configuration by letting the ASA taking care of destination NAT translations instead. You dont need NAT enable on your internet router when you have a firewall that can handle NAT. By having NAT on both router & ASA you are adding more complexity!

Here is a simple design that will work for you http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t5

Exactly. I had suggested that the first time I responded to his query.

-KS

And doing that requires he changed his ip addressing schema and gets rid of NAT. So basically a completely new setup.

SOSo Dear Guys:

I think there will be 2 ways.

1.Disable NAT control on ASA, and put all NAT on router.

2.Divide public IP to 2 segments. The first on route outside, the second on route inside and ASA outside.So the NAT can reside on ASA and router.

THX

Keisikka

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: