cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2192
Views
0
Helpful
5
Replies

Allow access to polycom with public IP from IP block

Roger Richards
Level 1
Level 1

Good evening, what I want to be able to do is access several devices from a block of IP addresses through my ASA 5510 8.3. ASDM 6.3. I tried looking up discussions on port forwarding to one to one nating for hours with no results. Tried a few configs too.

I want to able to use two public IP's to access two nodes behind firewall..

lost is only not what I am but a serious newbie. config attached.

I tried adding

object network Video_Connection

nat (Inside,Vipowernet) static Public-66.248.xxx.xxx

:

ASA Version 8.3(1)

!

hostname ciscoasa-stx

domain-name stt.vidol.gov

enable password lb70NCTEuCJ09Sct encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Vipowernet

security-level 0

ip address 66.248.xxx. 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.20.60.2 255.255.254.0

!

interface Ethernet0/1.30

vlan 30

nameif guest

security-level 50

no ip address

!

interface Ethernet0/1.40

vlan 40

nameif server

security-level 100

no ip address

!

interface Ethernet0/1.50

vlan 50

nameif video

security-level 100

no ip address

!

interface Ethernet0/2

nameif bcm

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2.11

vlan 11

nameif voice

security-level 100

no ip address

!

interface Ethernet0/3

nameif ContentFilter

security-level 100

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.20.80.100 255.255.255.0

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone AST -4

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 10.20.60.21

name-server 172.20.16.3

domain-name stt.vidol.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network STT

subnet 172.20.16.0 255.255.255.0

description St. Thomas Office      

object network A_66.248.xxxxxx

host 66.248.169.xx5

object network PublicServer_NAT1

host 10.20.60.39

object service ClockLink

service tcp source eq 5074 destination eq 5074

description Clock Link Management Software     

object network A_66.248.xxxxxx

host 66.248.xxxxxx

object service rdp

service tcp destination eq 3389

description Remote Desktop Protocol    

object network VoIP-STT-Network

subnet 192.168.4.0 255.255.255.0

object network VoIP-STX-Network

subnet 192.168.2.0 255.255.255.0

object network STTNET

subnet 172.20.16.0 255.255.255.0

description STT NETWORK

object network STXET

subnet 10.20.60.0 255.255.254.0

description STX NETWORK

object network outside

host 66.248.169.xx6

object network inside

host 10.20.60.2

object network servers-net

subnet 10.20.50.0 255.255.255.0

description servernet

object network HOST-8

host 10.20.60.8

object network Public-66.248.xxxxx

host 66.248.1xxxxx

object network Polycom

host 10.20.60.8

description polyunit connectoin

object service TCP8080

service tcp source eq 8080

object network Video_Connection

host 10.20.60.8

description Polycome Video

object-group network DM_INLINE_NETWORK_1

network-object host 172.20.21.4

network-object 172.20.16.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object object ClockLink

service-object object rdp

object-group network DM_INLINE_NETWORK_2

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object 10.20.60.0 255.255.254.0

network-object object VoIP-STX-Network

object-group network DM_INLINE_NETWORK_5

network-object 10.20.60.0 255.255.254.0

network-object 192.168.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_6

network-object object STT

network-object object VoIP-STT-Network

object-group network DM_INLINE_NETWORK_7

network-object host 10.20.60.39

network-object object A_66.248.169.xx7

object-group network DM_INLINE_NETWORK_8

network-object host 125.210.221.172

network-object host 220.231.141.29

object-group service POLLY tcp

port-object eq h323

port-object eq sip

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

access-list Vipowernet_access_in extended deny ip object-group DM_INLINE_NETWORK_8 any

access-list Vipowernet_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_7

access-list Vipowernet_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any

access-list Vipowernet_access_in extended permit ip any any inactive

access-list Vipowernet_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1

access-list Inside_access_in extended permit ip object VoIP-STX-Network object VoIP-STT-Network

access-list Inside_access_in extended permit ip host 10.20.61.1 any

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.20.60.81 any

access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended deny ip any any

access-list VoIP_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any

access-list outside_1_cryptomap extended permit ip 10.20.60.0 255.255.254.0 172.20.16.0 255.255.255.0

access-list capture extended permit ip host 172.20.16.8 host 10.20.60.8

access-list capture extended permit ip host 10.20.60.8 host 172.20.16.8

access-list Inside_access_out extended permit tcp any host 10.20.60.8

access-list Inside_access_out extended permit tcp any host 10.20.60.8 eq www

access-list Inside_access_out extended permit tcp host 10.20.60.8 eq www any

access-list Inside_access_out extended permit tcp any object Public-66.248.xxxxxx

access-list 1 extended permit ip 10.20.60.0 255.255.254.0 10.20.40.0 255.255.255.0

access-list 1 extended permit ip 10.20.40.0 255.255.255.0 object inside

access-list 1 extended permit ip host 192.168.2.1 host 10.20.50.1

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging host Inside 10.20.60.35

logging host Inside 172.20.16.87

logging permit-hostdown

mtu Vipowernet 1500

mtu Inside 1500

mtu bcm 1500

mtu management 1500

mtu ContentFilter 1500

mtu voice 1500

mtu server 1500

mtu video 1500

mtu guest 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Vipowernet

icmp permit any Inside

icmp permit any bcm

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (Inside,Vipowernet) source dynamic any interface

nat (Inside,any) source static any any destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6

!

object network obj_any

nat (management,Vipowernet) dynamic interface

object network PublicServer_NAT1

nat (Inside,Vipowernet) static A_66.248.xxxxxx

object network Video_Connection

nat (Inside,Vipowernet) static Public-66.248.xxxxxx

access-group Vipowernet_access_in in interface Vipowernet

access-group Inside_access_in in interface Inside

access-group VoIP_access_in in interface bcm

route Vipowernet 0.0.0.0 0.0.0.0 66.248.169.xx5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.20.60.0 255.255.254.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Vipowernet_map0 1 match address Vipowernet_cryptomap

crypto map Vipowernet_map0 1 set peer 66.248.182.170

crypto map Vipowernet_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Vipowernet_map0 interface Vipowernet

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 66.248.161.170

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto ca trustpoint ASDM_TrustPoint0

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment url http://stxdc3:80/CertSrv

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment url http://stxdc3:80/CertEnroll

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment url http://stxdc3:80/certsrv

crl configure

crypto ca trustpoint ASDM_TrustPoint4

enrollment terminal

crl configure

crypto isakmp enable Vipowernet

crypto isakmp enable bcm

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

telnet 172.20.16.0 255.255.255.0 Vipowernet

telnet 10.20.61.1 255.255.255.255 Inside

telnet 10.20.60.0 255.255.254.0 Inside

telnet 0.0.0.0 0.0.0.0 Inside

telnet 172.20.16.0 255.255.255.0 Inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access Inside

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.20.60.21 source Inside prefer

ntp server 172.20.16.3 source Inside

webvpn

group-policy DfltGrpPolicy attributes

username Ruser1 password IrO5kN5XfPlLpQcH encrypted

tunnel-group 66.248xxxxxxtype ipsec-l2l

tunnel-group 66.248xxxxxxxipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:a4bf5e1dcc49a69f94f46a792baa0fc5

: end

1 Accepted Solution

Accepted Solutions

Hi,

Basically the above configuration you posted is fine for a Static NAT. It essentially maps the local IP address to the public IP address.

After the "static" parameter you can directly insert the public IP address to be used as the NAT IP address.

After that you just need to allow the required services from the public network to this host.

Since the NAT configuration/operation changed with the jump from software 8.2 to 8.3 it means that you now need to allow traffic to the real/local IP address always.

So again using the above ACL example

access-list Vipowernet_access_in extended permit tcp any object Poly-8 eq

access-list Vipowernet_access_in extended permit udp any object Poly-8 eq

access-list Vipowernet_access_in extended permit icmp any object Poly-8 echo

You would simply allow the required TCP/UDP ports to the device with the above configuration. You might probably need to allow several different ports so you would need several ACL rules/lines.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Remember that you need to use the Local/Real IP address in the ACL as the destination IP address (even though its NATed)

So to allow some traffic from Internet to the new Static NATed host you could use the following type of ACL rules

access-list Vipowernet_access_in extended permit tcp any object Video_Connection eq

access-list Vipowernet_access_in extended permit udp any object Video_Connection eq

access-list Vipowernet_access_in extended permit icmp any object Video_Connection echo

Just choose the needed protocols and ports in the ACL rules

There should not be problems in the actual NAT configurations since you have separate public IP addresses for the devices you want to access from the public network.

You can use the following basic format for configuring Static NAT for devices

object network

host

nat (inside,outside) static

You dont need to configure a separate "object" to hold the public IP address. You can just enter it after the "static" parameter.

- Jouni

Ok so for example

object network Poly-8

host 10.10.10.8

nat (Inside,Vipowernet) static   "External IP from block" <---  If so that no workie.

not to keen on this so bare with me

Hi,

Basically the above configuration you posted is fine for a Static NAT. It essentially maps the local IP address to the public IP address.

After the "static" parameter you can directly insert the public IP address to be used as the NAT IP address.

After that you just need to allow the required services from the public network to this host.

Since the NAT configuration/operation changed with the jump from software 8.2 to 8.3 it means that you now need to allow traffic to the real/local IP address always.

So again using the above ACL example

access-list Vipowernet_access_in extended permit tcp any object Poly-8 eq

access-list Vipowernet_access_in extended permit udp any object Poly-8 eq

access-list Vipowernet_access_in extended permit icmp any object Poly-8 echo

You would simply allow the required TCP/UDP ports to the device with the above configuration. You might probably need to allow several different ports so you would need several ACL rules/lines.

- Jouni

Sorry for late reply, was struggle with some other stuff...

I had to add:

hostname(config)# access-group Vipowernet_access_in  in interface Vipowernet

Hi,

Seems to me that you already had that command in the configuration you posted.

You must have removed it at some point then?

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: