03-29-2010 01:59 AM - edited 03-11-2019 10:26 AM
hi,
have two external ip ranges. From outside everything is reachable but from inside i cannot reach the external ip. But in some cases this is neccesary. i have an asa 55xx wit the latest os. How can i configure the asa to let internal clients reach the external ip ranges from inside? Do i need a static nat rule for this? Have someone an example for me? Thanks and regards.
03-29-2010 06:03 AM
x.x.x.x = external ip
y.y.y.y = internal
same-security-traffic permit intra-interface
static (inside,inside) x.x.x.x y.y.y.y netmask 255.255.255.255
global (inside) 1 interface
nat (inside) 1 0 0
03-29-2010 09:51 AM
for asa version 8.3 these commands won`t work i think.
global (inside) 1 interface
nat (inside) 1 0 0
03-29-2010 07:03 PM
Old 8.2 and older Dynamic PAT:
nat (inside) 1 0 0
global (outside) 1 interface
#################################
New 8.3 dynamic PAT.
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
-KS
03-29-2010 07:18 PM
I wounder if you can show us more detail ? It's hard to tell where goes wrong without the configuration .
03-29-2010 09:38 PM
For example i have an internal server with 172.16.16.10 with a service on port 5467 for an outside ip 188.156.65.100 with the same port. From a host inside the network with the ip 172.16.16.233 i can perform a "telnet 172.16.16.10 5467" session with an answer from the service.
From outside everything fine too. But sometimes there is a need from internal to reach the external ip from INSIDE the lan.
For example, a host with 172.16.16.233 need to telnet the "188.156.65.100 5467" from inside. And here is the problem, theres is no answer from the service. Do you understand what i mean?
Interface config:
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 188.156.65.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.16.1 255.255.0.0
!
Maybe for interest, if i look in the asa log while i perform a telnet from inside to the outside ip i see this:
4 Mar 30 2010 03:30:50 106563 188.156.65.1 172.16.16.233 Deny icmp src outside:188.156.65.1 dst inside:172.16.16.233 (type 5, code 1) by access-group "global_access" [0x0, 0x0]
2 Mar 30 2010 03:30:50 106556 Deny IP spoof from (188.156.65.1) to 188.156.65.100 on interface outside
03-29-2010 10:47 PM
object network obj-188.156.65.100
host 188.156.65.100
nat (inside,inside) static 172.16.16.233
03-29-2010 11:05 PM
Ok, for the whole subnet:
object network obj-172.16.16.0
subnet 172.16.16.0 255.255.255.0
object network obj-188.156.65.0
subnet 188.156.65.0 255.255.255.0
nat (inside,inside) static ojb-172.16.16.0
right?
03-29-2010 11:21 PM
If you are mapping the subnet, it will be translated sequentially, ie:
188.156.65.1 --> 172.16.16.1
188.156.65.2 --> 172.16.16.2
Since you have already configured specific translation before, you would need to do 1 IP address for whatever mapping you have configured earlier for the (inside,outside) translation.
03-29-2010 11:36 PM
Ok i tried it with single nat and not the whole range but it seems not to work for me, here is what i`ve configured now for the adress:
nat (inside,outside) source static 172.16.16.10 188.156.65.100
object network 188.156.65.100
nat (inside,inside) static 172.16.16.10
03-29-2010 11:31 PM
I'm not quite sure whether I misunderstood the meaning , In the case of your example , since your internal user (172.16.16.233) need to visit a internal server(172.16.16.10) , the traffic seems no need to go through the firewall , two ip address in the same subnet . If you want the internal users see the server as a Nated address , you may need to add one more translation entry "static (inside,inside) 188.156.65.100 172.16.16.10",meanwhile you need to add "same-security-traffic permit intra-interface"
03-30-2010 12:16 AM
i have tried this. See my post before.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: