07-26-2010 03:39 PM - edited 03-11-2019 11:16 AM
I have an ASA 5505 in front of (7) devices. Each device is statically NAT'd to an external IP address with ACLs restricting the specific ports. This setup works perfectly on ASAs with a single host behind the ASA. Below is a sample config of the ASA. Any help would be greatly appreciated!
interface Vlan10
nameif inside
security-level 100
ip address 10.200.3.161 255.255.255.240
!
interface Vlan300
nameif outside
security-level 0
allow-ssc-mgmt
ip address 172.21.3.74 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 300
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Poll tcp
description External Poller
port-object eq 2101
object-group service Poll2 tcp
description Poll 20000
port-object eq 20000
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq 20000
object-group network New_Hosts
description New Hosts
network-object host 192.168.95.0 255.255.255.0
network-object host 192.168.96.0 255.255.255.0
network-object host 192.168.97.0 255.255.255.0
network-object host 192.168.98.0 255.255.255.0
object-group network Old_Hosts
description Old Hosts (Subnets)
network-object 192.168.89.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object New_Hosts
group-object Old_Hosts
network-object 192.168.79.0 255.255.255.0
network-object 192.168.201.0 255.255.255.248
object-group network DM_INLINE_NETWORK_4
network-object 192.168.201.0 255.255.255.248
network-object 192.168.79.0 255.255.255.0
group-object New_Hosts
group-object Old_Hosts
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq 20000
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 host 172.21.3.64 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.65 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.66 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.67 log debugging inactive
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_1 host 172.21.3.69 log debugging
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 172.21.3.69 eq 2101 log debugging
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.70 log debugging inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_1 host 172.21.3.71 log debugging inactive
access-list inside_access_in extended permit ip any any log debugging
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.21.3.65 10.200.3.167 netmask 255.255.255.255
static (inside,outside) 172.21.3.66 10.200.3.168 netmask 255.255.255.255
static (inside,outside) 172.21.3.67 10.200.3.169 netmask 255.255.255.255
static (inside,outside) 172.21.3.69 10.200.3.170 netmask 255.255.255.255
static (inside,outside) 172.21.3.70 10.200.3.171 netmask 255.255.255.255
static (inside,outside) 172.21.3.71 10.200.3.172 netmask 255.255.255.255
static (inside,outside) 172.21.3.64 10.200.3.174 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.1 1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Solved! Go to Solution.
07-26-2010 06:03 PM
Hello,
All your access-lists that allow ICMP connection from outside to inside are
inactive. I would suggest either reactivating the access-lists are trying a
specific ACL for ICMP and see if that helps.
Access-list outside_access_in line 1 permit icmp any any echo
Hope this helps.
Regards,
NT
07-26-2010 04:03 PM
Ok , can you elaborate on the issue you are experiencing a little more as i cant understand
what are you trying to do and seeing issues ?
thanks
Manish
07-26-2010 05:41 PM
The devices I am trying to place behind the firewall are currently running on the network using the addresses defined in the NAT rules. The internal devices can ping out just fine, but the external hosts are unable to ping through the firewall or poll the internal devices as required. I am beginning to think it may be an ARP issue, but I want to rule out the NAT/ACL rules first.
Thank you for the reply!
07-26-2010 06:03 PM
Hello,
All your access-lists that allow ICMP connection from outside to inside are
inactive. I would suggest either reactivating the access-lists are trying a
specific ACL for ICMP and see if that helps.
Access-list outside_access_in line 1 permit icmp any any echo
Hope this helps.
Regards,
NT
07-26-2010 06:18 PM
Yeah , It should work the way NT mentioned.
or you can do this
object-group icmp-type icmp
icmp-object echo
icmp-object echo-reply
and then give an access-list statement:-
access-list outside_access_in extended permit icmp object-group xxx ( your white list ip's ) a.b.c.d 255.255.255.0 object-group icmp
thanks
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide