nat outside inside

Unanswered Question
Mar 29th, 2010
User Badges:

hi,


have two external ip ranges. From outside everything is reachable but from inside i cannot reach the external ip. But in some cases this is neccesary. i have an asa 55xx wit the latest os. How can i configure the asa to let internal clients reach the external ip ranges from inside? Do i need a static nat rule for this? Have someone an example for me? Thanks and regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 03/29/2010 - 06:03
User Badges:
  • Green, 3000 points or more

x.x.x.x = external ip

y.y.y.y = internal


same-security-traffic permit intra-interface

static (inside,inside) x.x.x.x y.y.y.y netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

thorstenn Mon, 03/29/2010 - 09:51
User Badges:

for asa version 8.3 these commands won`t work i think.


global (inside) 1 interface

nat (inside) 1 0 0

Kureli Sankar Mon, 03/29/2010 - 19:03
User Badges:
  • Cisco Employee,
Old 8.2 and older Dynamic PAT:

nat (inside) 1 0 0
global (outside) 1 interface

#################################

New 8.3 dynamic PAT.
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

-KS


Lunzhicheng7 Mon, 03/29/2010 - 19:18
User Badges:

I wounder if you can show us more detail ? It's hard to tell where goes wrong without the configuration .

thorstenn Mon, 03/29/2010 - 21:38
User Badges:

For example i have an internal server with 172.16.16.10 with a service on port 5467 for an outside ip 188.156.65.100 with the same port. From a host inside the network with the ip 172.16.16.233 i can perform a "telnet 172.16.16.10 5467" session with an answer from the service.


From outside everything fine too. But sometimes there is a need from internal to reach the external ip from INSIDE the lan.


For example, a host with 172.16.16.233 need to telnet the "188.156.65.100 5467" from inside. And here is the problem, theres is no answer from the service. Do you understand what i mean?


Interface config:


!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 188.156.65.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.16.1 255.255.0.0
!


Maybe for interest, if i look in the asa log while i perform a telnet from inside to the outside ip i see this:


4    Mar 30 2010    03:30:50    106563    188.156.65.1        172.16.16.233        Deny icmp src outside:188.156.65.1 dst inside:172.16.16.233 (type 5, code 1) by access-group "global_access" [0x0, 0x0]

2    Mar 30 2010    03:30:50    106556                    Deny IP spoof from (188.156.65.1) to 188.156.65.100 on interface outside

Jennifer Halim Mon, 03/29/2010 - 22:47
User Badges:
  • Cisco Employee,

object network obj-188.156.65.100
    host 188.156.65.100
    nat (inside,inside) static 172.16.16.233

thorstenn Mon, 03/29/2010 - 23:05
User Badges:

Ok, for the whole subnet:


object network obj-172.16.16.0
     subnet 172.16.16.0 255.255.255.0


object network obj-188.156.65.0
    subnet 188.156.65.0 255.255.255.0
    nat (inside,inside) static ojb-172.16.16.0


right?

Jennifer Halim Mon, 03/29/2010 - 23:21
User Badges:
  • Cisco Employee,

If you are mapping the subnet, it will be translated sequentially, ie:

188.156.65.1 --> 172.16.16.1

188.156.65.2 --> 172.16.16.2


Since you have already configured specific translation before, you would need to do 1 IP address for whatever mapping you have configured earlier for the (inside,outside) translation.

thorstenn Mon, 03/29/2010 - 23:36
User Badges:

Ok i tried it with single nat and not the whole range but it seems not to work for me, here is what i`ve configured now for the adress:


nat (inside,outside) source static 172.16.16.10 188.156.65.100

object network 188.156.65.100
nat (inside,inside) static 172.16.16.10

Lunzhicheng7 Mon, 03/29/2010 - 23:31
User Badges:

I'm not quite sure whether I misunderstood the meaning , In the case of your example , since your internal user (172.16.16.233) need to visit a internal server(172.16.16.10) , the traffic seems no need to go through the firewall , two ip address in the same subnet . If you want the internal users see the server as a Nated address , you may need to add one more translation entry "static (inside,inside) 188.156.65.100 172.16.16.10",meanwhile you need to add "same-security-traffic permit intra-interface"

Actions

This Discussion