08-21-2013 08:18 AM - edited 03-11-2019 07:28 PM
Good evening, what I want to be able to do is access several devices from a block of IP addresses through my ASA 5510 8.3. ASDM 6.3. I tried looking up discussions on port forwarding to one to one nating for hours with no results. Tried a few configs too.
I want to able to use two public IP's to access two nodes behind firewall..
lost is only not what I am but a serious newbie. config attached.
I tried adding
object network Video_Connection
nat (Inside,Vipowernet) static Public-66.248.xxx.xxx
:
ASA Version 8.3(1)
!
hostname ciscoasa-stx
domain-name stt.vidol.gov
enable password lb70NCTEuCJ09Sct encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Vipowernet
security-level 0
ip address 66.248.xxx. 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.20.60.2 255.255.254.0
!
interface Ethernet0/1.30
vlan 30
nameif guest
security-level 50
no ip address
!
interface Ethernet0/1.40
vlan 40
nameif server
security-level 100
no ip address
!
interface Ethernet0/1.50
vlan 50
nameif video
security-level 100
no ip address
!
interface Ethernet0/2
nameif bcm
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.11
vlan 11
nameif voice
security-level 100
no ip address
!
interface Ethernet0/3
nameif ContentFilter
security-level 100
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.20.80.100 255.255.255.0
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone AST -4
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.20.60.21
name-server 172.20.16.3
domain-name stt.vidol.gov
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network STT
subnet 172.20.16.0 255.255.255.0
description St. Thomas Office
object network A_66.248.xxxxxx
host 66.248.169.xx5
object network PublicServer_NAT1
host 10.20.60.39
object service ClockLink
service tcp source eq 5074 destination eq 5074
description Clock Link Management Software
object network A_66.248.xxxxxx
host 66.248.xxxxxx
object service rdp
service tcp destination eq 3389
description Remote Desktop Protocol
object network VoIP-STT-Network
subnet 192.168.4.0 255.255.255.0
object network VoIP-STX-Network
subnet 192.168.2.0 255.255.255.0
object network STTNET
subnet 172.20.16.0 255.255.255.0
description STT NETWORK
object network STXET
subnet 10.20.60.0 255.255.254.0
description STX NETWORK
object network outside
host 66.248.169.xx6
object network inside
host 10.20.60.2
object network servers-net
subnet 10.20.50.0 255.255.255.0
description servernet
object network HOST-8
host 10.20.60.8
object network Public-66.248.xxxxx
host 66.248.1xxxxx
object network Polycom
host 10.20.60.8
description polyunit connectoin
object service TCP8080
service tcp source eq 8080
object network Video_Connection
host 10.20.60.8
description Polycome Video
object-group network DM_INLINE_NETWORK_1
network-object host 172.20.21.4
network-object 172.20.16.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object ClockLink
service-object object rdp
object-group network DM_INLINE_NETWORK_2
network-object 10.20.60.0 255.255.254.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.20.60.0 255.255.254.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 10.20.60.0 255.255.254.0
network-object object VoIP-STX-Network
object-group network DM_INLINE_NETWORK_5
network-object 10.20.60.0 255.255.254.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object object STT
network-object object VoIP-STT-Network
object-group network DM_INLINE_NETWORK_7
network-object host 10.20.60.39
network-object object A_66.248.169.xx7
object-group network DM_INLINE_NETWORK_8
network-object host 125.210.221.172
network-object host 220.231.141.29
object-group service POLLY tcp
port-object eq h323
port-object eq sip
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
access-list Vipowernet_access_in extended deny ip object-group DM_INLINE_NETWORK_8 any
access-list Vipowernet_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_7
access-list Vipowernet_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list Vipowernet_access_in extended permit ip any any inactive
access-list Vipowernet_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1
access-list Inside_access_in extended permit ip object VoIP-STX-Network object VoIP-STT-Network
access-list Inside_access_in extended permit ip host 10.20.61.1 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.20.60.81 any
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended deny ip any any
access-list VoIP_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any
access-list outside_1_cryptomap extended permit ip 10.20.60.0 255.255.254.0 172.20.16.0 255.255.255.0
access-list capture extended permit ip host 172.20.16.8 host 10.20.60.8
access-list capture extended permit ip host 10.20.60.8 host 172.20.16.8
access-list Inside_access_out extended permit tcp any host 10.20.60.8
access-list Inside_access_out extended permit tcp any host 10.20.60.8 eq www
access-list Inside_access_out extended permit tcp host 10.20.60.8 eq www any
access-list Inside_access_out extended permit tcp any object Public-66.248.xxxxxx
access-list 1 extended permit ip 10.20.60.0 255.255.254.0 10.20.40.0 255.255.255.0
access-list 1 extended permit ip 10.20.40.0 255.255.255.0 object inside
access-list 1 extended permit ip host 192.168.2.1 host 10.20.50.1
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host Inside 10.20.60.35
logging host Inside 172.20.16.87
logging permit-hostdown
mtu Vipowernet 1500
mtu Inside 1500
mtu bcm 1500
mtu management 1500
mtu ContentFilter 1500
mtu voice 1500
mtu server 1500
mtu video 1500
mtu guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Vipowernet
icmp permit any Inside
icmp permit any bcm
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (Inside,Vipowernet) source dynamic any interface
nat (Inside,any) source static any any destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6
!
object network obj_any
nat (management,Vipowernet) dynamic interface
object network PublicServer_NAT1
nat (Inside,Vipowernet) static A_66.248.xxxxxx
object network Video_Connection
nat (Inside,Vipowernet) static Public-66.248.xxxxxx
access-group Vipowernet_access_in in interface Vipowernet
access-group Inside_access_in in interface Inside
access-group VoIP_access_in in interface bcm
route Vipowernet 0.0.0.0 0.0.0.0 66.248.169.xx5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.20.60.0 255.255.254.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Vipowernet_map0 1 match address Vipowernet_cryptomap
crypto map Vipowernet_map0 1 set peer 66.248.182.170
crypto map Vipowernet_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Vipowernet_map0 interface Vipowernet
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 66.248.161.170
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto ca trustpoint ASDM_TrustPoint0
enrollment url http://stxdc3:80/certsrv
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment url http://stxdc3:80/CertSrv
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment url http://stxdc3:80/CertEnroll
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment url http://stxdc3:80/certsrv
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto isakmp enable Vipowernet
crypto isakmp enable bcm
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
telnet 172.20.16.0 255.255.255.0 Vipowernet
telnet 10.20.61.1 255.255.255.255 Inside
telnet 10.20.60.0 255.255.254.0 Inside
telnet 0.0.0.0 0.0.0.0 Inside
telnet 172.20.16.0 255.255.255.0 Inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.20.60.21 source Inside prefer
ntp server 172.20.16.3 source Inside
webvpn
group-policy DfltGrpPolicy attributes
username Ruser1 password IrO5kN5XfPlLpQcH encrypted
tunnel-group 66.248xxxxxxtype ipsec-l2l
tunnel-group 66.248xxxxxxxipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a4bf5e1dcc49a69f94f46a792baa0fc5
: end
Solved! Go to Solution.
08-21-2013 03:30 PM
Hi,
Basically the above configuration you posted is fine for a Static NAT. It essentially maps the local IP address to the public IP address.
After the "static" parameter you can directly insert the public IP address to be used as the NAT IP address.
After that you just need to allow the required services from the public network to this host.
Since the NAT configuration/operation changed with the jump from software 8.2 to 8.3 it means that you now need to allow traffic to the real/local IP address always.
So again using the above ACL example
access-list Vipowernet_access_in extended permit tcp any object Poly-8 eq
access-list Vipowernet_access_in extended permit udp any object Poly-8 eq
access-list Vipowernet_access_in extended permit icmp any object Poly-8 echo
You would simply allow the required TCP/UDP ports to the device with the above configuration. You might probably need to allow several different ports so you would need several ACL rules/lines.
- Jouni
08-21-2013 08:32 AM
Hi,
Remember that you need to use the Local/Real IP address in the ACL as the destination IP address (even though its NATed)
So to allow some traffic from Internet to the new Static NATed host you could use the following type of ACL rules
access-list Vipowernet_access_in extended permit tcp any object Video_Connection eq
access-list Vipowernet_access_in extended permit udp any object Video_Connection eq
access-list Vipowernet_access_in extended permit icmp any object Video_Connection echo
Just choose the needed protocols and ports in the ACL rules
There should not be problems in the actual NAT configurations since you have separate public IP addresses for the devices you want to access from the public network.
You can use the following basic format for configuring Static NAT for devices
object network
host
nat (inside,outside) static
You dont need to configure a separate "object" to hold the public IP address. You can just enter it after the "static" parameter.
- Jouni
08-21-2013 01:10 PM
Ok so for example
object network Poly-8
host 10.10.10.8
nat (Inside,Vipowernet) static
not to keen on this so bare with me
08-21-2013 03:30 PM
Hi,
Basically the above configuration you posted is fine for a Static NAT. It essentially maps the local IP address to the public IP address.
After the "static" parameter you can directly insert the public IP address to be used as the NAT IP address.
After that you just need to allow the required services from the public network to this host.
Since the NAT configuration/operation changed with the jump from software 8.2 to 8.3 it means that you now need to allow traffic to the real/local IP address always.
So again using the above ACL example
access-list Vipowernet_access_in extended permit tcp any object Poly-8 eq
access-list Vipowernet_access_in extended permit udp any object Poly-8 eq
access-list Vipowernet_access_in extended permit icmp any object Poly-8 echo
You would simply allow the required TCP/UDP ports to the device with the above configuration. You might probably need to allow several different ports so you would need several ACL rules/lines.
- Jouni
08-30-2013 05:09 AM
Sorry for late reply, was struggle with some other stuff...
I had to add:
hostname(config)# access-group Vipowernet_access_in in interface Vipowernet
08-30-2013 05:24 AM
Hi,
Seems to me that you already had that command in the configuration you posted.
You must have removed it at some point then?
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: