Problem with NAT on ASA5520

Unanswered Question

Hi everyone,


I have 4 interfaces. 1 outside interface and 3 inside interfaces (DMZ20, LAN2, LAN3). I need permit traffic between all inside interfaces at least for the beginning - this works fine now, NAT for internet from all inside interfaces to outside also works fine.


But I have BIG problem with acces from internet to local LAN services (ftp, ssh, www, dns, ntp, smtp, https, ldaps...) with another my global IP adress from my internet provider than 193.22.83.82 from outside interface.

"

access-list outside_access_in extended permit tcp any host 193.22.83.76 eq www (with 193.22.83.82 works fine)

static (DMZ20,outside) tcp 193.22.83.76 www 192.168.20.72 www netmask 255.255.255.255 (with 193.22.83.82 works fine)

access-group outside_access_in in interface outside

"

Also I would not use "same-security-traffic permit inter-interface" for permit between inside interfaces, but I have problem with ACL. Also I don´t have time for settings:( Better would be to change DMZ20 interface to DMZ zone with for example security-level 30.


Thank's a lot for your help,

Jan


!
ASA Version 7.0(6)
!
hostname asa13
domain-name netlinx.com
enable password dKd2d5d67dG encrypted
names
name 192.168.20.0 LAN_dmz
name 192.66.0.0 LAN_old
name 10.0.0.0 LAN_ba1
name 10.1.0.0 LAN_ba2
name 10.2.0.0 LAN_bb
name 10.16.0.0 LAN_new
name 10.17.0.0 LAN_havirov
name 10.20.0.0 LAN_brno
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.22.83.82 255.255.255.224
!
interface GigabitEthernet0/1
nameif DMZ20
security-level 100
ip address 192.168.20.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif LAN2
security-level 100
ip address 192.66.16.3 255.255.0.0
!
interface GigabitEthernet0/3
nameif LAN3
security-level 100
ip address 10.16.4.222 255.255.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd dKd2d5d67dG encrypted
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
same-security-traffic permit inter-interface
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_old 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba1 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_ba2 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_bb 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_new 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_havirov 255.255.0.0
access-list natdmz20 extended permit ip LAN_dmz 255.255.255.0 LAN_brno 255.255.0.0
access-list natdmz20 extended deny ip any any log
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_old 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan3 extended permit ip LAN_new 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan3 extended deny ip any any log
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_dmz 255.255.255.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba1 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_ba2 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_bb 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_new 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_havirov 255.255.0.0
access-list natlan2 extended permit ip LAN_old 255.255.0.0 LAN_brno 255.255.0.0
access-list natlan2 extended deny ip any any log
pager lines 24
logging enable
logging trap notifications
logging asdm notifications
logging host DMZ20 192.168.20.19
mtu outside 1500
mtu DMZ20 1500
mtu LAN3 1500
mtu LAN2 1500
no failover
monitor-interface outside
monitor-interface DMZ20
monitor-interface LAN3
monitor-interface LAN2
icmp deny any outside
icmp permit any DMZ20
icmp permit any LAN3
icmp permit any LAN2
asdm image disk0:/asdm506.bin
asdm location LAN_ba1 255.255.0.0 DMZ20
asdm location LAN_ba2 255.255.0.0 DMZ20
asdm location LAN_bb 255.255.0.0 DMZ20
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ20) 0 access-list natdmz20
nat (DMZ20) 1 LAN_dmz 255.255.255.0
nat (LAN3) 0 access-list natlan3
nat (LAN3) 1 LAN_new 255.255.0.0
nat (LAN2) 0 access-list natlan2
nat (LAN2) 1 LAN_old 255.255.0.0

route outside 0.0.0.0 0.0.0.0 193.22.83.65 1
route DMZ20 LAN_bb 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba2 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_ba1 255.255.0.0 192.168.20.36 1
route DMZ20 LAN_havirov 255.255.0.0 192.168.20.251 1
route DMZ20 LAN_brno 255.255.0.0 192.168.20.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http LAN_dmz 255.255.255.0 DMZ20
http LAN_new 255.255.0.0 LAN3
http LAN_old 255.255.0.0 LAN2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet LAN_dmz 255.255.255.0 DMZ20
telnet 16.16.0.0 255.255.0.0 LAN3
telnet LAN_old 255.255.0.0 LAN2
telnet timeout 5
ssh scopy enable
ssh LAN_dmz 255.255.255.0 DMZ20
ssh LAN_new 255.255.0.0 LAN3
ssh LAN_old 255.255.0.0 LAN2
ssh timeout 60
console timeout 0
ntp server 192.168.20.11 source LAN2
tftp-server LAN2 192.66.21.10 /tmp
smtp-server 192.66.19.4
Cryptochecksum:e04d0c33b9fc078f6913f72ef75965a4

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion