02-01-2010 06:56 AM - edited 03-11-2019 10:03 AM
Want to enable nat-control to restirct access to outside hosts from inside. Outside hosts are an internal lab (not across internet) to main network.
Nat-control enabled causes inside hosts to stop access / ping outside hosts. See NAT / statics configuration below.
Thanks for any input.
inside pc: 192.168.16.1
outside pc: 10.25.41.5 (assigned ip)
192.168.50.5 (virtual ip used when pinging from inside)
ASA Version 8.0(4) <context>
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.40.220 255.255.255.248
!
dns server-group DefaultDNS
domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
network-object 192.168.16.1 255.255.255.255
network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
network-object 10.25.41.5 255.255.255.255
network-object 10.25.41.6 255.255.255.255
network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
port-object eq netbios-ns
object-group service smt_tcp_ports tcp
port-object eq 135
port-object eq netbios-ssn
port-object eq 445
object-group network server_nats
network-object 10.25.41.2 255.255.255.255
network-object 10.25.41.3 255.255.255.255
network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
network-object 192.168.50.1 255.255.255.255
network-object 192.168.50.2 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.4 255.255.255.255
network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside
Solved! Go to Solution.
02-01-2010 10:28 AM
tsrader wrote:
192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network
1. yes, inside hosts would ping 192.168.50.x address.
192.168.50.5 > 10.25.41.5
is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?
global (outside) 2 interface
nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)
Thanks
You can just NAT the inside addresses to the same global ie.
nat (inside) 1 192.168.16.0 255.255.255.0
global (outside) 1 interface
you don't need
nat (inside) 1 192.168.50.0 255.255.255.0
it's not doing anything.
Jon
02-01-2010 08:05 AM
tsrader wrote:
Want to enable nat-control to restirct access to outside hosts from inside. Outside hosts are an internal lab (not across internet) to main network.
Nat-control enabled causes inside hosts to stop access / ping outside hosts. See NAT / statics configuration below.
Thanks for any input.
inside pc: 192.168.16.1
outside pc: 10.25.41.5 (assigned ip)
192.168.50.5 (virtual ip used when pinging from inside)
ASA Version 8.0(4)
!
hostname fw
dns-guard
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.40.220 255.255.255.248
!
dns server-group DefaultDNS
domain-name local
same-security-traffic permit intra-interface
object-group network inside_hosts_permitted
network-object 192.168.16.1 255.255.255.255
network-object 192.168.17.0 255.255.255.0
object-group network outside_hosts_real
network-object 10.25.41.5 255.255.255.255
network-object 10.25.41.6 255.255.255.255
network-object 10.25.41.7 255.255.255.255
object-group service smt_udp_ports udp
port-object eq netbios-ns
object-group service smt_tcp_ports tcp
port-object eq 135
port-object eq netbios-ssn
port-object eq 445
object-group network server_nats
network-object 10.25.41.2 255.255.255.255
network-object 10.25.41.3 255.255.255.255
network-object 10.25.41.4 255.255.255.255
object-group network outside_hosts_nats
network-object 192.168.50.1 255.255.255.255
network-object 192.168.50.2 255.255.255.255
network-object 192.168.50.3 255.255.255.255
network-object 192.168.50.3 255.255.255.255network-object 192.168.50.4 255.255.255.255
network-object 192.168.50.5 255.255.255.255
access-list external_access_in extended permit tcp 10.25.41.9 10.25.41.2 eq object-group_smt_tcp_ports
access-list external_access_in extended permit tcp 10.25.41.0 10.25.41.2 eq object-group smt_udp_ports
access-list external_access_in extended permit icmp any any
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit tcp host 192.168.16.1 any eq 3389
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outisde_hosts_nats eq ftp
access-list internal_access_in extended permit tcp host 192.168.17.0 object-group outside_hosts_nats eq ftp-data
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224
static (inside,outside) 10.25.41.2 192.168.10.137 netmask 255.255.255.255
static (inside,outside) 10.25.41.3 192.168.10.134 netmask 255.255.255.255
static (inside,outside) 10.25.41.4 192.168.10.161 netmask 255.255.255.255
access-group external_access_in in interface outside
access-group internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.25.41.1 1
route inside 192.168.0.0 255.255.0.0 192.168.40.217 1
http server enable
sysopt noproxyarp inside
Just to clarify -
from the inside you do not ping a 10.25.x.x address you actually ping a 192.168.50 address ? This is what
static (outside,inside) 192.168.50.0 10.25.41.0 netmask 255.255.255.224 is meant to be doing ?
If so your problem is you are not natting the actual source address ie. 192.168.16.1 so instead of
global (outside) 1 interface
nat (inside) 1 192.168.50.0 255.255.255.224
it should read
global (outside) 1 interface
nat (inside) 1 192.168.16.0 255.255.255.0 <-- note this subnet mask may not be right, modify if needed.
I'm not sure what "nat (inside) 1 192.168.50.0 255.255.255.224" is meant to achieve ?
Jon
02-01-2010 10:07 AM
192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network
1. yes, inside hosts would ping 192.168.50.x address.
192.168.50.5 > 10.25.41.5
is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?
global (outside) 2 interface
nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)
Thanks
02-01-2010 10:28 AM
tsrader wrote:
192.168.50.x is ip range which is routable on inside network --- assigned as a "virtual" ip range for outside hosts coming back into network
1. yes, inside hosts would ping 192.168.50.x address.
192.168.50.5 > 10.25.41.5
is a second global/nat required to permit inside hosts to initiate a connection to outside hosts?
global (outside) 2 interface
nat (inside) 2 192.168.16.0 (or whatever inside ip range range needed to come thru)
Thanks
You can just NAT the inside addresses to the same global ie.
nat (inside) 1 192.168.16.0 255.255.255.0
global (outside) 1 interface
you don't need
nat (inside) 1 192.168.50.0 255.255.255.0
it's not doing anything.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: