01-09-2014 12:20 PM - edited 03-11-2019 08:27 PM
I have cisco ASA 5510 and am using ASDM
I am new to ASA and am trying t understand on what to do for the below
1. I have public ip 4.79.205.89 ---------> FW------> 192.168.10.1 ( Apool interface )
for this to work would i need an Access rule and NAT rule both ? i need to open up the port for tcp. If something is being sent out of 192.168.10.1 i need to do NAT to 4.79.205.89
i have 2 interface external and Apool (192.168.10) and spool 192.168.30 network
a) NAT rule will be for interface Apool correct? is the static NAT 2 way ? meaning
how the traffic comming from outside knows that it will need to go to 192.168.10.1
if i set the NAT rule below it seems that whatever is sent from 192.168.10.1 the ip needs to translate to 4.79.205.89 but how does it know that the traffic from outside sent to 4.79.205.89 needs to go to 192.168.10.1
interface: App pool
source: 192.168.10.1
Translated:
interface: external
destinition: 4.79.205.89
b) how do i allow traffic from public ip to communicate with 192.168.10 which is behind FW
I added Acceses rule for interface external
Action:permit
source:any
destinition:4.79.205.89
port:tcp
Thanks
Sagar
01-09-2014 12:52 PM
Sagar
What exactly is the TCP port you need to allow ie. what application is on 192.168.10.1 that you want to allow access to from the internet.
Do you have access-list configured on any interfaces already ?
What version of software are you using ?
Jon
01-09-2014 01:05 PM
Hi I am using ASDM 6.2 i need to enable ssh port 22 it is an sftp server
01-09-2014 01:11 PM
Sagar
Unfortunately i'm not familiar with ASDM. Attached is the config guide for ASDM for setting up static NAT -
http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html#wp1072634
you would also need to add a rule to the acl applied to your outside interface (assuming you have one) to allow the traffic.
If you are happy to use the CLI i can supply the actual commands. If you want to do this can you post your current config or tell me which version of software is running on the ASA.
Jon
01-09-2014 01:15 PM
Hi Here is the show version
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
oshac5510fw up 247 days 1 hour
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 512MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
01-09-2014 01:20 PM
Sagar
static (inside,outside) tcp 4.79.205.89 22 192.168.10.1 22
access-list outside_in permit tcp any host 4.79.205.89 eq ssh
couple of points -
1) i have assumed that 192.168.10.1 is reachable from the inside interface
2) if you already have an acl applied to the outside interface then change the name of the acl in the above. If you don't have an acl applied to the outside interface you need to add this additional command -
access-group outside_in in interface outside
Jon
12-09-2018 12:05 PM
If you add another ethernet interface, let's say a USB one, and manually configure it with an IP, say 192.168.10.1 - check this link, the same thing happens above with free routes. Assumne you assigned the USB ethernet adapter 192.168.10.1 with subnet mask /24 (or 255.255.255.0).
12-10-2018 10:21 PM
Hi,
you need to have a port forward NAT rule and ACL for this. hope below link help with it.
good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide