Inbound to partner network

Unanswered Question
Feb 27th, 2012
User Badges:

Hi,


I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network


eg


Internet address  94.175.x.100 goes to 151.5.3.100,

The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.


Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic


Thanks


Trevor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/27/2012 - 07:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Trevor


For this to work you need a couple of things to be in place -


1) the ASA can reach the 151.5.3.0/24 network ie. it has a route to the 151.5.3.0/24 network


2) there is a default-route in your internal network that points back to the ASA so when 151.5.3.100 sends traffic back to 94.175.x.100 the return traffic goes back to the ASA.


If both of the above are in place then you would simply need to -


1) add a rule to the access-list applied to the outside interface of the ASA (assuming there is one) to allow the traffic


and


2) set up a static NAT for the 151.5.3.x clients eg.


static (inside,outside) 151.5.3.100 151.5.3.100


note that you can be more specific with the NAT if you only want to allow certain ports ie.


static (inside,outside) tcp 151.5.3.100 80 151.5.3.100 80 


would setup NAT only for port 80. Bear in mind though that you still need the acl allowing the access so if there are a lot of ports then the first static would make more sense. Also note these are pre 8.2 NAT commands so you may need to adjust if the OS version is more recent.


If the first 2 conditions are not in place you can still do it but you may need to do more things with NAT.


Jon

Trevor Peacock Mon, 02/27/2012 - 07:25
User Badges:

Hi Jon,


Thanks replying


I have a route from the ASA to the 151.5.3.0/24 network and a traceroute from the ASA shows that this works, the destination server on the 151.5.3 network can see the ASA.


The NAT and ACL work for the service on 10.42.15 network.


So ...


Do I need to allow routing from the 151.5.3 network to the external internet addresses across the MPLS ???


eg on the router at the site ip route 94.x.y.z/24 151.5.3.gateway


Thanks


Trevor

Jon Marshall Mon, 02/27/2012 - 07:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Trevor


It depends on whether you have a default-route in your network pointing to the ASA. If you try a traceroute from the 151.5.3.x network to the internet address does it go to the ASA inside interface ?


Jon

Trevor Peacock Mon, 02/27/2012 - 07:53
User Badges:

Hi Jon,


After several hops it ends up on the ASA inside interface. The ASA in my office is the gateway of last resort for the entire MPLS



Thanks


Trevor

Jon Marshall Mon, 02/27/2012 - 07:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Trevor


That's good. So it should just be a case of setting up the static and adding the rule(s) to the access-list and you should be good to go.


Jon

Trevor Peacock Mon, 02/27/2012 - 07:59
User Badges:

Jon,


Thanks for the help,


Ill try the config this evening and let you know how it goes.


Thanks again


Trevor

Actions

This Discussion