Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Direct access to devices behind the firewall

Hello,

I am trying to establish a direct connection to devices behind the firewall without NAT.

I have an ASA5510 FW where both sides are private IP addresses. outside interface is Security level 0 and the inside interface is Security level 100.

I have couple of servers behind the firewall. But i want them to access using their own IP addresses from outside, rather than using a mapped IP addresses.

I tried with Nat 0. But then realised, it wont work as the it only protects the source IP address of the devies behind the firewall to be translated.

Is it is possible to do that? If then, can you give me the step by step procedures.

Cheers

Nimalraj

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Direct access to devices behind the firewall

Try this -

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

where 172.16.10.0/24 would be the server subnet.

Jon

10 REPLIES
Super Bronze

Re: Direct access to devices behind the firewall

You can configure NAT exemption, ie: NAT 0 with access-list.

Example:

Inside host has ip address of 192.168.100.5

Outside host has ip address of 192.168.200.5

For outside host to access inside host with its private ip address, you can configure the following:

access-list nonat permit ip host 192.168.100.5 host 192.168.200.5

nat (inside) 0 access-list nonat

On your inbound access-list on the outside interface, you would need to allow the access. Check the name of the outside access list: sh run access-group, then add the following access-list:

access-list permit ip host 192.168.200.5 host 192.168.100.5

OR/ a more restrictive access-list if you wish.

Hope that helps.

New Member

Re: Direct access to devices behind the firewall

Hi, I tried that beforehand. But didnt work. The following is the configuration i have in my ASA.

access-list inbound extended permit icmp any any
access-list inbound extended permit ip any any

access-list nonat extended permit ip any host 172.16.1.20

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0


access-group inbound in interface outside

All the clients have internet access. But i cannot ping or connect to the 172.16.1.20 machine.

Any idea..?

Hall of Fame Super Blue

Re: Direct access to devices behind the firewall

Are the servers ever going to go out from the inside and get translated to the public IP on your outside interface ?

If they are do you know the specific source IPs you want to use to be able to access the servers on their private addresses from outside ?

Jon

New Member

Re: Direct access to devices behind the firewall

No.. These servers are going to remain private. And there wont be any mapping from outside interface to the private IP address of the server.

Thats why i want some way to access the server using the private IP address, rather than using the mapped IP address.

Nimalraj

Hall of Fame Super Blue

Re: Direct access to devices behind the firewall

Try this -

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

where 172.16.10.0/24 would be the server subnet.

Jon

New Member

Re: Direct access to devices behind the firewall

That did the trick for me.

can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.

thats why i am bit confused.

Cheers

Hall of Fame Super Blue

Re: Direct access to devices behind the firewall

nimalrajphilips wrote:

That did the trick for me.

can you elobrate more about this command. The reason i am asking is, it worked without even Nat0 command.

thats why i am bit confused.

Cheers

Basically it is a static NAT statement that takes precedence over your dynamic NAT statements. Usually you see something like -

static (inside,outside) 195.17.10.10 192.168.5.10 netmask 255.255.255.255

where you are natting the private IP of 192.168.5.10 on the inside to the public IP of 195.17.10.10 on the outside. Yes the (inside,outside) are the wrong way round compared to IOS but you get used to it

Using a static NAT allows connections to be initiated from the outside to the inside. With your example ie.

static (inside,outside) 172.16.10.0 172.16.10.0 netmask 255.255.255.0

we are simply saying present the 172.16.10.x addresses to the outside as 172.16.10.x.

Note that on other vendors firewalls you wouldn't need this statement if the addresses you present are the same as the real addresses as in your scenario but this is another quirk of the Cisco Pix/ASA firewalls.

Jon

New Member

Re: Direct access to devices behind the firewall

Thanks alot Jon.

Super Bronze

Re: Direct access to devices behind the firewall

When you use the NAT exemption method, your ACL is the other way round.

You have "access-list nonat extended permit ip any host 172.16.1.20" configured. It should have been "access-list nonat extended permit ip host 172.16.1.20 any"

However, as Jon's suggestion, you can also use the static to itself statement.

Both ways will work.

New Member

Re: Direct access to devices behind the firewall

Hi,

I will try this option too. Thanks for your update.

Cheers

871
Views
0
Helpful
10
Replies