05-18-2010 05:41 AM - edited 03-11-2019 10:47 AM
Hello,
I am trying to establish a direct connection to devices behind the firewall without NAT.
I have an ASA5510 FW where both sides are private IP addresses. outside interface is Security level 0 and the inside interface is Security level 100.
I have couple of servers behind the firewall. But i want them to access using their own IP addresses from outside, rather than using a mapped IP addresses.
I tried with Nat 0. But then realised, it wont work as the it only protects the source IP address of the devies behind the firewall to be translated.
Is it is possible to do that? If then, can you give me the step by step procedures.
Cheers
Nimalraj
Solved! Go to Solution.
05-18-2010 06:54 AM
Try this -
static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
where 172.16.10.0/24 would be the server subnet.
Jon
05-18-2010 06:12 AM
You can configure NAT exemption, ie: NAT 0 with access-list.
Example:
Inside host has ip address of 192.168.100.5
Outside host has ip address of 192.168.200.5
For outside host to access inside host with its private ip address, you can configure the following:
access-list nonat permit ip host 192.168.100.5 host 192.168.200.5
nat (inside) 0 access-list nonat
On your inbound access-list on the outside interface, you would need to allow the access. Check the name of the outside access list: sh run access-group, then add the following access-list:
access-list
OR/ a more restrictive access-list if you wish.
Hope that helps.
05-18-2010 06:40 AM
Hi, I tried that beforehand. But didnt work. The following is the configuration i have in my ASA.
access-list inbound extended permit icmp any any
access-list inbound extended permit ip any any
access-list nonat extended permit ip any host 172.16.1.20
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0
access-group inbound in interface outside
All the clients have internet access. But i cannot ping or connect to the 172.16.1.20 machine.
Any idea..?
05-18-2010 06:47 AM
Are the servers ever going to go out from the inside and get translated to the public IP on your outside interface ?
If they are do you know the specific source IPs you want to use to be able to access the servers on their private addresses from outside ?
Jon
05-18-2010 06:50 AM
No.. These servers are going to remain private. And there wont be any mapping from outside interface to the private IP address of the server.
Thats why i want some way to access the server using the private IP address, rather than using the mapped IP address.
Nimalraj
05-18-2010 06:54 AM
Try this -
static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
where 172.16.10.0/24 would be the server subnet.
Jon
05-18-2010 07:11 AM
That did the trick for me.
can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.
thats why i am bit confused.
Cheers
05-18-2010 07:16 AM
nimalrajphilips wrote:
That did the trick for me.
can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.
thats why i am bit confused.
Cheers
Basically it is a static NAT statement that takes precedence over your dynamic NAT statements. Usually you see something like -
static (inside,outside) 195.17.10.10 192.168.5.10 netmask 255.255.255.255
where you are natting the private IP of 192.168.5.10 on the inside to the public IP of 195.17.10.10 on the outside. Yes the (inside,outside) are the wrong way round compared to IOS but you get used to it
Using a static NAT allows connections to be initiated from the outside to the inside. With your example ie.
static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0
we are simply saying present the 172.16.10.x addresses to the outside as 172.16.10.x.
Note that on other vendors firewalls you wouldn't need this statement if the addresses you present are the same as the real addresses as in your scenario but this is another quirk of the Cisco Pix/ASA firewalls.
Jon
05-18-2010 07:19 AM
Thanks alot Jon.
05-18-2010 03:24 PM
When you use the NAT exemption method, your ACL is the other way round.
You have "access-list nonat extended permit ip any host 172.16.1.20" configured. It should have been "access-list nonat extended permit ip host 172.16.1.20 any"
However, as Jon's suggestion, you can also use the static to itself statement.
Both ways will work.
05-19-2010 01:37 AM
Hi,
I will try this option too. Thanks for your update.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: