Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internet access for LAN user through inside to outside

Here are i want o access internet of my lan users having subnet 172.16.20.0/24

and inside firewall ip is 192.168.11.249/24

outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s

 

 

Navaz
25 REPLIES
Cisco Employee

Hi, Below is the required

Hi,

 

Below is the required configuration on ASA:-

 

route inside 172.16.20.0 255.255.255.0 192.168.11.254

 

Nat  8.2

===========

nat(inside) 1 0 0

global(outside) 1 interface

 

Nat 8.3 +

 

object network internal_net
  subnet 172.16.20.0 255.255.255.0

!

object network internal_net
nat (inside,outside) dynamic interface

 

Thanks,

Prashant Joshi

 

New Member

 I have Cisco Adaptive

 

I have Cisco Adaptive Security Appliance Software Version 8.2(5) 
Device Manager Version 6.4(5)

But its not working. Below is my configuration and I only now need my LAN user to allow internet through Inside to Outside. One thing is that 172.16.20.0/24 users gateway is 172.16.20.254 similarly 172.16.30.X/24 users gateway is 172.16.30.254 and 172.16.40.X/24 users gateway is 172.16.40.254, 172.16.50.X/24 users gateway is 172.16.50.254. Thanks for the reply.

Version of ASA

 

ASA Version 8.2(5)

!

 

hostname ACTIVE

domain-name dhalahore.org

enable password vXH3rdHwVuRbxQ3j encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

 

INTERFACE DETAILS

!

interface Ethernet0/0

 description Inside to the Core Switches 1

 duplex full

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

description Inside to the Core Switches 2

 duplex full

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 description Public Server - DMZ

 duplex full 

 nameif DMZ  

 security-level 50

 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!            

interface Ethernet0/3

 description Outside to the Internet via router

 duplex full 

 nameif Outside

 security-leLvel 0

 ip address 117.102.8.90 255.255.255.248 standby 117.102.8.91

!            

interface Management0/0

 description LAN/STATE Failover Interface

!            

interface Redundant1

 member-interface Ethernet0/0

 member-interface Ethernet0/1

INSIDE INTERFACE

 nameif inside

 security-level 100

 ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

!            

CREATE OBJECT FOR LAN NETWORKS

object-group network DMZ-BLOCKED-LAN-NETWORKS

 network-object 172.16.10.0 255.255.255.0

 network-object 172.16.20.0 255.255.255.0

 network-object 172.16.30.0 255.255.255.0

 network-object 172.16.40.0 255.255.255.0

 network-object 172.16.50.0 255.255.255.0

 

 

CREATE ACL FOR OUTSIDE TO INSIDE

access-list 102 extended permit tcp any host 117.102.8.90 eq www

access-list 102 extended permit tcp any host 117.102.8.90 eq 8888

access-list 102 extended permit tcp any host 117.102.8.90 eq https

access-list 102 extended permit tcp any host 117.102.8.90 eq telnet

access-list 102 extended permit tcp any host 117.102.8.90 eq pop3

access-list 102 extended permit tcp any host 117.102.8.90 eq smtp

 

CREATE ACL FOR THE LAN NETWORK TO ACCESS DMZ SERVERS

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0

 

CREATE ACL FOR THE DB SERVERS TO DMZ MEMBER AREA SERVER

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list ICMP extended permit icmp any any

access-list SPLIT standard permit 192.168.0.0 255.255.0.0

NAT CONFIGURATION

nat-control  

CREATE NAT FOR THE INSIDE USER TO ACCESS

nat (inside) 0 access-list no-nat

CREATE NAT FROM OUTSIDE TO DMZ SERVER(FOR SPECIFIC PORTS OPEN)

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255

static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255

static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255

 

CREATE NAT DMZ TO INSIDE(TO ACCESS THE LAN SPECIFIC USERS)

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

 

ALLOW THE ACL 102 TO OUTSIDE INTERFACE

access-group 102 in interface Outside

 

CREATE ROUTE TO THE ACCESS FROM THE OUTSIDE INTERFACE

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

 

 

 

CREATE ROUTE TO ACCESS FROM THE INSIDE INTERFACE (ALL VLAN,S INCLUDING APPLICATION,DB,LAN)

 

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

route inside 172.16.50.0 255.255.255.0 192.168.11.254 1

route inside 192.168.10.0 255.255.255.0 192.168.11.254 1

 

 

TO ACCESS INSIDE THROUGH ASDM

http server enable

http 192.168.11.0 255.255.255.0 inside

http 192.168.11.249 255.255.255.255 inside

TO TELNET INSIDE

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet 192.168.10.254 255.255.255.255 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 10

 

 

Navaz
Cisco Employee

 You need to configure a PAT

 

You need to configure a PAT policy

 

General PAT and will be used by all inside users.

nat(inside) 1 0 0

global(outside) 1 interface

However, if you need to be specific

 

nat(inside) 1 72.16.20.0 255.255.255.0

global(outside) 1 interface

 

 

nat(inside) 1 72.16.30.0 255.255.255.0

global(outside) 1 interface

 

 

nat(inside) 1 72.16.40.0 255.255.255.0

global(outside) 1 interface

 

If still it didn't work, provide me below output :

 packet-tracer input inside tcp 172.16.20.10 5656 4.2.2.2 80 det

 

Thanks

Prashant Joshi

 

New Member

Its didnt work. I attached a

Its didnt work. I attached a files that you are required.

thanks

Navaz
Cisco Employee

configuration seems to be

configuration seems to be fine with ASA, packet tracer showing correct outputs.I

believe packets are not reaching the ASA.

 

Kindly provide me below captures.

cap capin interface inside match tcp ho <host ip> any

cap capout interface outside match tcp any any

sh cap capout

sh cap capin

 

Thanks,

Prashant Joshi

New Member

Please find the attached file

Please find the attached file . But in Inside interface of ASA a core switch 3750 exist and after that layer 2 switch 2960 exist where the LAN exist. 

Navaz
Cisco Employee

As expected internet traffic

As expected internet traffic is not reaching the ASA, we can see only telnet traffic
( to ASA inside interface).

Have you configured a default route pointing to ASA on your 3750 switch ?

Thanks

Prashant Joshi

New Member

These are the routs add for

These are the routs add for at the core switch 3750

 

ip classless
ip route 0.0.0.0 0.0.0.0 221.120.216.153
ip route 5.5.5.0 255.255.255.0 192.168.11.249
ip route 10.1.1.0 255.255.255.0 192.168.10.249
ip route 10.1.1.0 255.255.255.0 192.168.11.249
ip route 172.16.20.0 255.255.255.0 192.168.10.249
ip http server

 

DC-Core1(config)#  do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
S       5.5.5.0 [1/0] via 192.168.11.249
C    192.168.10.0/24 is directly connected, Vlan10
     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.50.0 is directly connected, Vlan80
C       172.16.40.0 is directly connected, Vlan70
C       172.16.30.0 is directly connected, Vlan60
C       172.16.20.0 is directly connected, Vlan50
C       172.16.10.0 is directly connected, Vlan10
C    192.168.11.0/24 is directly connected, Vlan11
     10.0.0.0/24 is subnetted, 1 subnets
S       10.1.1.0 [1/0] via 192.168.11.249
                 [1/0] via 192.168.10.249

Navaz
Cisco Employee

Below route is punting all

Below route is punting all the traffic to   221.120.216.153 , so we need to delete this route ip route 0.0.0.0 0.0.0.0 221.120.216.153

no ip route 0.0.0.0 0.0.0.0 221.120.216.153

We need to punt all the default traffic to ASA, so add below route.

ip route 0.0.0.0 0.0.0.0 192.168.11.249

 

in addition, if 172.16.20.0/24 is a directly connected network on 3750 we don't need below route

ip route 172.16.20.0 255.255.255.0 192.168.10.249

 

Thanks,

Prashant Joshi

 

 

New Member

Thanks its working. but now

Thanks its working. but now next step is to only allow outlook traffic from inside LAN to outside.

Navaz
Cisco Employee

You need to allow whatever

You need to allow whatever subnets and respective ports you need...for example:-

 

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq 25

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq XY

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq  YZ

 

access-group inside_out in interface inside

 

Thanks,

Prashant Joshi

New Member

Thanks josh but its not

Thanks josh but its not working.

 

I also different acl. can u verfied that its not create the prob

 

bject-group network DMZ-BLOCKED-LAN-NETWORKS
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.20.0 255.255.255.0
 network-object 172.16.30.0 255.255.255.0
 network-object 172.16.40.0 255.255.255.0
 network-object 172.16.50.0 255.255.255.0
access-list 102 extended permit tcp any host 117.102.8.90 eq www 
access-list 102 extended permit ip 5.5.5.0 255.255.255.0 any 
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888 
access-list 102 extended permit tcp any host 117.102.8.90 eq https 
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet 
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3 
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp 
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo 
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo 
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS 
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any 
access-list ICMP extended permit icmp any any 
access-list SPLIT standard permit 192.168.0.0 255.255.0.0 

 

Navaz
Cisco Employee

access-list 102 extended

access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888 
access-list 102 extended permit tcp any host 117.102.8.90 eq https 
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet 
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3 
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp 

Above access-lists are allowing any source to access destination 117.102.8.90 on specific ports, rest all other destinations are restricted.

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0 

All these access-lists are used in NAT Exempt from specific source to destination.

 

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo 
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo 
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS 
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any 

DMZ access-lists blocking connection to DMZ-BLOCKED and allowing 10.1.1.0 /24 to access anything.


You need to apply these access-lists on interface as well.

access-list <access-list name > in interface <interface name>

 

Prashant Joshi:-

 

 

 

New Member

After these applying, then i

After these applying, then i can allow only outlook traffic and my outlook port are configured at SSL port 995 and 465

Navaz
Cisco Employee

Add below access lists with

Add below access lists with whatever source and destination you need to restrict

access-list 102 extended permit tcp <source>  <destination>  eq 995

access-list 102 extended permit tcp <source>  <destination>  eq 465
 

New Member

access-list 102 extended

access-list 102 extended permit tcp 172.16.20.0  117.102.8.90  eq 995

access-list 102 extended permit tcp 172.16.20.0  117.102.8.90  eq 465

i need to run outlook of lan users having subnet 172.16.20.0/24 and after that is apply

access-group 102 in interface inside ?

Navaz
Cisco Employee

access-list 102 extended

access-list 102 extended permit tcp 172.16.20.0  255.255.255.0  117.102.8.90  eq 995

access-list 102 extended permit tcp 172.16.20.0  255.255.255.0 117.102.8.90  eq 465

access-group 102 in interface inside

New Member

Thanks JoshiI applied this

Thanks Joshi

I applied this but outlook is not working.

i attached outlook setting.

Navaz
Cisco Employee

I can only see the ports in

I can only see the ports in your configuration ,what is the incoming and outgoing mailserver name/IP configured in your outlook, If its name and not an IP then how the name resolution will happen, do you have an inside DNS server ?

 

Thanks,

Prashant Joshi
 

 

 

New Member

i have Incoming server 174

Thanks Joshi

i have Incoming server 174.142.165.146 Outgoing Server 174.142.165.146.

And these are outside over the internet anywhere but not in our LAN network and there is no DNS server.

Navaz
Cisco Employee

Hi,kindly provide me below

Hi,

kindly provide me below output :

 packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 995 det

 packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 465 det

 

Prashant Joshi

New Member

Please find the attached the

Please find the attached the required file

 

Navaz
Cisco Employee

you need to remove below NAT

you need to remove below NAT exempt ( it means for all inside users ASA will not perform a NAT)

nat (inside) 0 0.0.0.0 0.0.0.0

 

If you need to perform NAT exempt, you need to be specific like

access-list nonat permit 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

nat (inside) 0  access-list nonat

 

Thanks,

Prashant Joshi

 

New Member

These are the nat commands

These are the nat commands that i configured 

nat-control
global (Outside) 1 interface
nat (DMZ) 1 10.1.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255 
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255 
static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255 
static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255 
static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

 

Navaz
Cisco Employee

Add below  NAT policy for

Add below  NAT policy for inside users

nat (inside) 1 172.16.20.0  255.255.255.0 

 

and if it doesn't work provide packet tracer output again.

Prashant Joshi

 

414
Views
0
Helpful
25
Replies
CreatePlease to create content