×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Novices - ASA 5505 - Creating NAT Rule

Unanswered Question

Our external security department needs to scan, every three months, a computer behind the firewall. I need to create a simple NAT rule that will allow an ip address or subnet to the computers behind the ASA 5505. At the moment, we have a simple NAT rule which allow all network traffic to exit from inside to outside. Can you post a NAT rule that will permit the external ip to access the internal computers.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johuggin Thu, 03/08/2012 - 11:56
User Badges:

Hello,


Some things which we'll need to know:


- What IOS version is the ASA running? (If you don't know, you can do a 'show version' command)

- What specific ports does the scan need? Or do you want to open all ports to the scan?


If you have another available public IP address, you can open up all ports to the scan. If your only available public IP address is the one the ASA is using, we will need to know what ports will be in use by the scan.


Thanks!

Joey

Hello,


I followed the instructions running show version. The current Cisco Adaptive Security Appliance Software Version is 7.2(3). The scanner will need to hit every port on the computer(s) behind the firewall. For example purposes, the scanner is coming from a.b.c.d network going thru the external firewall address 192.168.1.0 (external interface or VLAN2) and then hiting 10.2.1.0/24 (internal interface VLAN1) computers.

johuggin Thu, 03/08/2012 - 12:11
User Badges:

Here's what you'll need:


ASA# conf t

ASA(config)# static (,) 192.168.1.x 10.2.1.x netmask 255.255.255.255


Note that 192.168.1.x is the external IP that the scanner will connect to. This will translate to the real computer address of 10.2.1.x. 192.168.1.x shouldn't be the IP you are using for internet access for the inside.


Don't forget the access-list!


ASA# conf t

ASA(config)# access-list outside_access_in permit ip host host 192.168.1.x

ASA(config)# access-group outside_access_in in interface


Here's a Cisco doc if you need more explanation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11


Hope this helps!

Joey

Joseph.


Not to get confuse, but in your command static (vlan1,vlan2) 192.168.1.x 10.2.1.x netmask 255.255.255.255, it shows 192.168.1.x as the vlan1 interface. Am I reading this command correctly? In my previous note, It was mentioned that interface 1 or vlan1 is 10.2.1.x and interface 2 or vlan2 is 192.168.1.x.


Thanks

johuggin Thu, 03/08/2012 - 12:30
User Badges:

Hello,


Actually, that's how the sytax is set up. Here's an excerpt from the Cisco doc which might make more sense:


static (real_interface,mapped_interface) mapped_ip real_ip netmask mask


Here, 'real' refers to your internal vlan 1. 'mapped' refers to your external vlan 2.

Sorry if it's confusing, I know it doesn't make much intuitive sense.

Thanks!

Joey

johuggin Thu, 03/08/2012 - 12:49
User Badges:

Yep.


Just remember the above syntax for a one-to one mapping. Also remember you'll probably need an ACL entry for any new connections going through.

Just FYI, If you want to be more specific in your translation, you can specify ports as well:


static (real_interface,mapped_interface) [tcp/udp] mapped_ip [mapped_port] real_ip [real_port] netmask mask


This might be more helpful for your file server. For instance, you could only translate FTP traffic instead of all ports. This is better practice security-wise and can also help save external IPs from being used up.


Thanks!

Joey

Just for checking purposes, I ran the command sh nat and I firewall return this back to me. What do you think?


ciscoasa# sh nat

NAT policies on Interface inside:
  match ip inside host 10.2.1.1 outside any
    static translation to 192.168.1.2
    translate_hits = 0, untranslate_hits = 87
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (192.168.1.2 [Interface PAT])
    translate_hits = 43740, untranslate_hits = 121
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
ciscoasa#

johuggin Thu, 03/08/2012 - 14:12
User Badges:

Hello,


As I mentioned before, you should not use the same external IP as your existing PAT to avoid conflicts. Can you use a different external IP address? I would suggest removing the static for now to avoid any issues.


Sent from Cisco Technical Support iPhone App

johuggin Fri, 03/09/2012 - 11:57
User Badges:

Hello,


I'm a little confused because you said your ISP is only giving you two IP addresses, but you are using a private 192.168.1.x range externally.


The static can use any other IP in the same range (like 192.168.1.3, 192.168.1.4, etc..). It just shouldn't be the one you are already using (192.168.1.2) for your interface PAT.


Hope this makes sense. I apologize if I'm not understanding.


Thanks

Joey

Hi,


The address given for the external interface will only route in our institution. The ISP has the public ip address. They translate from public to private ip space for us. Therefore, the address 192.168.1.x is the outside firewall interface. Now, you are suggesting that I could use 192.168.1.3 to point any external traffic into the network behind the firewall. My previous question is, then, where does one configure this ip. It has to be configure on some external interface otherwise it will not broadcast.


Thanks

johuggin Fri, 03/09/2012 - 13:00
User Badges:

Hello,


The ASA will broadcast the IP used in the static. There is no need to map it to an interface. So to answer your question, you configure it in the static command we discussed previously.


I'm not sure how this will work with your ISP setup as they are the ones who are doing the translations for your network. You may need to let them know that you have a new 192.168.1.x address which needs to be translated.


Hope this helps!
Joey

Hi Joseph,


I got some new ip addresses. Below, I have included the complete configuration. The outside traffic is not able to see the computer behind the firewall. I have tried the suggestion you have mentioned before, without any luck. Can you take another pick please?



ASA Version 7.2(3)

!

hostname cisco-asa

domain-name default.domain.invalid


names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 152.18.75.132 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

           
!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network dts-servers


network-object host 152.31.53.251

network-object host 152.31.53.195

object-group network frs_servers

network-object 152.111.5.22 255.255.255.255

access-list extended extended permit ip any any

access-list extended extended permit icmp any any

access-list extended extended permit ip any object-group dts-servers

access-list acl_out extended permit tcp any object-group frs_servers eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply inside

icmp permit 10.2.1.0 255.255.255.0 inside

icmp permit any echo-reply outside

icmp permit 152.31.53.0 255.255.255.0 outside

icmp permit 152.31.185.0 255.255.255.0 outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 152.18.75.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http 10.2.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.2.1.2 255.255.255.255 inside

ssh 152.31.53.0 255.255.255.0 outside

ssh 152.18.1.128 152.18.75.132 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.2.1.2-10.2.1.254 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios
             
  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

johuggin Tue, 03/13/2012 - 09:35
User Badges:

Hello,


I don't see the static in your configuration. Did you remove it once it wasn't working? How did it look?

johuggin Tue, 03/13/2012 - 09:50
User Badges:

Did you also add the access-list and access-group? You have ACLs but they aren't grouped to any interface.


ex (per your static):

access-list outside_access_in permit ip any host 152.18.75.133

access-group outside_access_in in interface outside


I'm not sure you want to allow all traffic, but this is just an example. If you want to just test ICMP, you can modify the ACL for whatever traffic you want.

Actions

This Discussion