Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

From outside to inside access ( number of static map)

HI

I have two office A and B. A is head office where have 200 user and in B offcie has 300 user.

From A to B connect sceniro:

Boffice-Router-outsideFWinside-A office.

------------------

my Goal is all user From office B can access all PC in office A. As office A in behind ASA then I need 200 static Map.

As usual we do point to point static map.

its eassy for some of server or user pc.

As in my sceniro a lot of number pc access so its difficult configure 200 static map. so have any other way ?

Regrads

Biplob

1 ACCEPTED SOLUTION

Accepted Solutions

Re: From outside to inside access ( number of static map)

on the firewall, please send me the output of "show logging | inc x"

where x is the IP address you are pinging from.

22 REPLIES

Re: From outside to inside access ( number of static map)

Is there an ISP link between the two offices?

If yes, is there a VPN tunnel established between the two offices?

If yes, you may use NAT zero.

New Member

Re: From outside to inside access ( number of static map)

Hi

Thanks.

No ISP Link. Two office are connected via VSAT. no VPN tunnel between two office.

at present 5 sever are static map. but decession now that all pc of Office A are available for office B but its come throw firewall. so I need more 195 static map ?

thanks

Biplob

Re: From outside to inside access ( number of static map)

not really. Use NAT zero and thats it.

But you have to modify your ACLs on the firewall as well to allow the traffic between the 2 offices.

Cheers.

New Member

Re: From outside to inside access ( number of static map)

Hi

I am confused. pls clear.

At present scenerio example:

pix outside IP: 192.168.10.1

pix inside IP : 192.168.40.10

ACL 101 permit tcp any any

ACL 101 permit Icmp any any

static( ouside, inside) 192.168.10.11 192.168.40.11 0 0

access-group 101 in interface outside.

**As from my office user not connect internet so nat configure in here.

As your suggation if I configure

nat (inside) 0 192.168.40.0 255.255.255.0

then i do not need any static map ????

office B ( 172.16.20.X) can access Office A (192.168.40.X) without any mapping ???.

and can ping direct 192.168.40.X ?

----can you give me a sample configure---

regrads

Biplob

Re: From outside to inside access ( number of static map)

Hi Biplob,

yes, but don't use:

nat (inside) 0 192.168.40.0 255.255.255.0

since you still need traffic going from office A to the internet to be NATed.

So use an ACL like below:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

The config above allows users in office A to connect to office B. For office B users to connect to office A users, use the config below:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

* Please use the rating system once your problem is solved.

Thanks,

Moath.

New Member

Re: From outside to inside access ( number of static map)

Hi

If I understand then according to your summary:

office B(172.16.20.0)-FW-OfficeA(192.168.40.0)

Only B office user access to office A then:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

B office user access to office A and also users of office A connect to Internet then:

-------------------------------------------

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

beside this i do not need any other config/

regrads

Biplob

Re: From outside to inside access ( number of static map)

hi,

From office A to office B:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

From office B to A:

access-list outside-to-inside-NAT-EXCLUDE line 1 extended permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list outside-to-inside-NAT-EXCLUDE.

Please configure all above to allow traffic from both offices.

"beside this i do not need any other config"

Please make sure that the traffic ACLs applied on the outside interface and inside interface (if any) allow the traffic between the 2 offices.

New Member

Re: From outside to inside access ( number of static map)

Hi

too much thanks. Now I am clear 90 %. now a little bit confution.

1. your last line tell --Please make sure that the traffic ACLs applied on the outside interface and inside interface --- by this line which you meaning ,--it is regrading access group applied interface ?

i don not need any access -group ?

2. you mention example

office A to office B:

office B to office A:

and Both.

but If I need additional that

office B to office A and office A connect to Internet. that means office A users also connect to internet then time what I do.

pls give me an example aditionaly. becuse I am worried that if I give no nat exclude 192.168.40.0 then no user of office A can not connect internet.

sorry for your time kill.

regrads

Biplob

Re: From outside to inside access ( number of static map)

Hi,

1- traffic from outside to inside is denied by default, so you have to allow it in the acl applied on the outside interface.

permit ip 172.16.20.0 255.255.255.0 192.168.40.0 255.255.255.0

2- The reason why we used an ACL in the NAT zero statement was to exclude only traffic between the 2 offices from getting NATed.

But there should be another NAT statement for traffic from office A in order to allow it internet access.

If you are confused, plz attach the firewall config to help you more.

New Member

Re: From outside to inside access ( number of static map)

ok , i checkout this.

Re: From outside to inside access ( number of static map)

lol... Check out what?

New Member

Re: From outside to inside access ( number of static map)

dummy implement and give your result within some time

Re: From outside to inside access ( number of static map)

Dummy results, plz check below ;) cheers mate

New Member

Re: From outside to inside access ( number of static map)

result is 0 . i send you the configation what i do. pls wait 5 min.

New Member

Re: From outside to inside access ( number of static map)

pls check attachment

New Member

Re: From outside to inside access ( number of static map)

pls check attachment

Re: From outside to inside access ( number of static map)

Hi,

Show running access-group, then modify the ACL applied on the outside interface to allow office's B range to connect to office's A range.

New Member

Re: From outside to inside access ( number of static map)

Hi

like this sceniro have any document or you can send me full configuration ?. i am trying in my lab but failed.

my e-mail address biplobk2000@yahoo.com.

May I introduce with you.

thanks

biplob

New Member

Re: From outside to inside access ( number of static map)

Hi

I do additionaly

access-list 102 permit icmp any any

access-list 102 permit Ip any any

access-group 102 in interface outside

then also configure

access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (outside) 0 access-list 101 [this line give warning]

regrads

Biplob

Re: From outside to inside access ( number of static map)

on the firewall, please send me the output of "show logging | inc x"

where x is the IP address you are pinging from.

Re: From outside to inside access ( number of static map)

Hi,

Please remove the settings you applied and try these:

access-list inside-to-outside-NAT-EXCLUDE line 1 extended permit ip 192.168.40.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (inside) 0 access-list inside-to-outside-NAT-EXCLUDE

Cheers

New Member

Re: From outside to inside access ( number of static map)

Hi

Its a good news that your last pescription is right and I reach my destination goal and confused zero. before this test I know that out side user can access inside only by static map.

Too much thanks and warm regards to you for co-operation the test.

Be well and next time see you again.

regrads

Biplob

189
Views
5
Helpful
22
Replies
CreatePlease to create content