Inbound to partner network

Unanswered Question
Feb 27th, 2012

Hi,

I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network

eg

Internet address  94.175.x.100 goes to 151.5.3.100,

The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.

Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic

Thanks

Trevor

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jon Marshall Mon, 02/27/2012 - 07:06

Trevor

For this to work you need a couple of things to be in place -

1) the ASA can reach the 151.5.3.0/24 network ie. it has a route to the 151.5.3.0/24 network

2) there is a default-route in your internal network that points back to the ASA so when 151.5.3.100 sends traffic back to 94.175.x.100 the return traffic goes back to the ASA.

If both of the above are in place then you would simply need to -

1) add a rule to the access-list applied to the outside interface of the ASA (assuming there is one) to allow the traffic

and

2) set up a static NAT for the 151.5.3.x clients eg.

static (inside,outside) 151.5.3.100 151.5.3.100

note that you can be more specific with the NAT if you only want to allow certain ports ie.

static (inside,outside) tcp 151.5.3.100 80 151.5.3.100 80 

would setup NAT only for port 80. Bear in mind though that you still need the acl allowing the access so if there are a lot of ports then the first static would make more sense. Also note these are pre 8.2 NAT commands so you may need to adjust if the OS version is more recent.

If the first 2 conditions are not in place you can still do it but you may need to do more things with NAT.

Jon

peacockt Mon, 02/27/2012 - 07:25

Hi Jon,

Thanks replying

I have a route from the ASA to the 151.5.3.0/24 network and a traceroute from the ASA shows that this works, the destination server on the 151.5.3 network can see the ASA.

The NAT and ACL work for the service on 10.42.15 network.

So ...

Do I need to allow routing from the 151.5.3 network to the external internet addresses across the MPLS ???

eg on the router at the site ip route 94.x.y.z/24 151.5.3.gateway

Thanks

Trevor

Jon Marshall Mon, 02/27/2012 - 07:46

Trevor

It depends on whether you have a default-route in your network pointing to the ASA. If you try a traceroute from the 151.5.3.x network to the internet address does it go to the ASA inside interface ?

Jon

peacockt Mon, 02/27/2012 - 07:53

Hi Jon,

After several hops it ends up on the ASA inside interface. The ASA in my office is the gateway of last resort for the entire MPLS

Thanks

Trevor

Jon Marshall Mon, 02/27/2012 - 07:57

Trevor

That's good. So it should just be a case of setting up the static and adding the rule(s) to the access-list and you should be good to go.

Jon

peacockt Mon, 02/27/2012 - 07:59

Jon,

Thanks for the help,

Ill try the config this evening and let you know how it goes.

Thanks again

Trevor

Actions

Login or Register to take actions

This Discussion

Posted February 27, 2012 at 6:47 AM
Stats:
Replies:6 Avg. Rating:
Views:331 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446