11-05-2014 02:49 AM - edited 03-11-2019 10:01 PM
Here are i want o access internet of my lan users having subnet 172.16.20.0/24
and inside firewall ip is 192.168.11.249/24
outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s
11-05-2014 03:25 AM
Hi,
Below is the required configuration on ASA:-
route inside 172.16.20.0 255.255.255.0 192.168.11.254
Nat 8.2
===========
nat(inside) 1 0 0
global(outside) 1 interface
Nat 8.3 +
object network internal_net
subnet 172.16.20.0 255.255.255.0
!
object network internal_net
nat (inside,outside) dynamic interface
Thanks,
Prashant Joshi
11-05-2014 04:38 AM
I have Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
But its not working. Below is my configuration and I only now need my LAN user to allow internet through Inside to Outside. One thing is that 172.16.20.0/24 users gateway is 172.16.20.254 similarly 172.16.30.X/24 users gateway is 172.16.30.254 and 172.16.40.X/24 users gateway is 172.16.40.254, 172.16.50.X/24 users gateway is 172.16.50.254. Thanks for the reply.
Version of ASA
ASA Version 8.2(5)
!
hostname ACTIVE
domain-name dhalahore.org
enable password vXH3rdHwVuRbxQ3j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
INTERFACE DETAILS
!
interface Ethernet0/0
description Inside to the Core Switches 1
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/1
description Inside to the Core Switches 2
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/2
description Public Server - DMZ
duplex full
nameif DMZ
security-level 50
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface Ethernet0/3
description Outside to the Internet via router
duplex full
nameif Outside
security-leLvel 0
ip address 117.102.8.90 255.255.255.248 standby 117.102.8.91
!
interface Management0/0
description LAN/STATE Failover Interface
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
INSIDE INTERFACE
nameif inside
security-level 100
ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250
!
CREATE OBJECT FOR LAN NETWORKS
object-group network DMZ-BLOCKED-LAN-NETWORKS
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 172.16.50.0 255.255.255.0
CREATE ACL FOR OUTSIDE TO INSIDE
access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888
access-list 102 extended permit tcp any host 117.102.8.90 eq https
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp
CREATE ACL FOR THE LAN NETWORK TO ACCESS DMZ SERVERS
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0
CREATE ACL FOR THE DB SERVERS TO DMZ MEMBER AREA SERVER
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
access-list ICMP extended permit icmp any any
access-list SPLIT standard permit 192.168.0.0 255.255.0.0
NAT CONFIGURATION
nat-control
CREATE NAT FOR THE INSIDE USER TO ACCESS
nat (inside) 0 access-list no-nat
CREATE NAT FROM OUTSIDE TO DMZ SERVER(FOR SPECIFIC PORTS OPEN)
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255
static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255
static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255
CREATE NAT DMZ TO INSIDE(TO ACCESS THE LAN SPECIFIC USERS)
static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0
ALLOW THE ACL 102 TO OUTSIDE INTERFACE
access-group 102 in interface Outside
CREATE ROUTE TO THE ACCESS FROM THE OUTSIDE INTERFACE
route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1
CREATE ROUTE TO ACCESS FROM THE INSIDE INTERFACE (ALL VLAN,S INCLUDING APPLICATION,DB,LAN)
route inside 0.0.0.0 0.0.0.0 192.168.11.254 2
route inside 0.0.0.0 0.0.0.0 192.168.10.254 2
route inside 172.16.10.0 255.255.255.0 192.168.11.254 1
route inside 172.16.20.0 255.255.255.0 192.168.11.254 1
route inside 172.16.30.0 255.255.255.0 192.168.11.254 1
route inside 172.16.40.0 255.255.255.0 192.168.11.254 1
route inside 172.16.50.0 255.255.255.0 192.168.11.254 1
route inside 192.168.10.0 255.255.255.0 192.168.11.254 1
TO ACCESS INSIDE THROUGH ASDM
http server enable
http 192.168.11.0 255.255.255.0 inside
http 192.168.11.249 255.255.255.255 inside
TO TELNET INSIDE
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.11.254 255.255.255.255 inside
telnet 192.168.10.254 255.255.255.255 inside
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 10
11-05-2014 05:09 AM
You need to configure a PAT policy
General PAT and will be used by all inside users.
nat(inside) 1 0 0
global(outside) 1 interface
However, if you need to be specific
nat(inside) 1 72.16.20.0 255.255.255.0
global(outside) 1 interface
nat(inside) 1 72.16.30.0 255.255.255.0
global(outside) 1 interface
nat(inside) 1 72.16.40.0 255.255.255.0
global(outside) 1 interface
If still it didn't work, provide me below output :
packet-tracer input inside tcp 172.16.20.10 5656 4.2.2.2 80 det
Thanks
Prashant Joshi
11-05-2014 05:41 AM
11-05-2014 05:47 AM
configuration seems to be fine with ASA, packet tracer showing correct outputs.I
believe packets are not reaching the ASA.
Kindly provide me below captures.
cap capin interface inside match tcp ho <host ip> any
cap capout interface outside match tcp any any
sh cap capout
sh cap capin
Thanks,
Prashant Joshi
11-05-2014 05:57 AM
11-05-2014 06:57 AM
As expected internet traffic is not reaching the ASA, we can see only telnet traffic
( to ASA inside interface).
Have you configured a default route pointing to ASA on your 3750 switch ?
Thanks
Prashant Joshi
11-05-2014 07:56 PM
These are the routs add for at the core switch 3750
ip classless
ip route 0.0.0.0 0.0.0.0 221.120.216.153
ip route 5.5.5.0 255.255.255.0 192.168.11.249
ip route 10.1.1.0 255.255.255.0 192.168.10.249
ip route 10.1.1.0 255.255.255.0 192.168.11.249
ip route 172.16.20.0 255.255.255.0 192.168.10.249
ip http server
DC-Core1(config)# do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
S 5.5.5.0 [1/0] via 192.168.11.249
C 192.168.10.0/24 is directly connected, Vlan10
172.16.0.0/24 is subnetted, 5 subnets
C 172.16.50.0 is directly connected, Vlan80
C 172.16.40.0 is directly connected, Vlan70
C 172.16.30.0 is directly connected, Vlan60
C 172.16.20.0 is directly connected, Vlan50
C 172.16.10.0 is directly connected, Vlan10
C 192.168.11.0/24 is directly connected, Vlan11
10.0.0.0/24 is subnetted, 1 subnets
S 10.1.1.0 [1/0] via 192.168.11.249
[1/0] via 192.168.10.249
11-05-2014 08:58 PM
Below route is punting all the traffic to 221.120.216.153 , so we need to delete this route ip route 0.0.0.0 0.0.0.0 221.120.216.153
no ip route 0.0.0.0 0.0.0.0 221.120.216.153
We need to punt all the default traffic to ASA, so add below route.
ip route 0.0.0.0 0.0.0.0 192.168.11.249
in addition, if 172.16.20.0/24 is a directly connected network on 3750 we don't need below route
ip route 172.16.20.0 255.255.255.0 192.168.10.249
Thanks,
Prashant Joshi
11-05-2014 09:29 PM
Thanks its working. but now next step is to only allow outlook traffic from inside LAN to outside.
11-05-2014 10:55 PM
You need to allow whatever subnets and respective ports you need...for example:-
access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq 25
access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq XY
access-list inside_out per tcp 172.16.20.0 255.255.255.0 any eq YZ
access-group inside_out in interface inside
Thanks,
Prashant Joshi
11-06-2014 03:13 AM
Thanks josh but its not working.
I also different acl. can u verfied that its not create the prob
bject-group network DMZ-BLOCKED-LAN-NETWORKS
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
network-object 172.16.40.0 255.255.255.0
network-object 172.16.50.0 255.255.255.0
access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit ip 5.5.5.0 255.255.255.0 any
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888
access-list 102 extended permit tcp any host 117.102.8.90 eq https
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
access-list ICMP extended permit icmp any any
access-list SPLIT standard permit 192.168.0.0 255.255.0.0
11-06-2014 03:40 AM
access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888
access-list 102 extended permit tcp any host 117.102.8.90 eq https
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp
Above access-lists are allowing any source to access destination 117.102.8.90 on specific ports, rest all other destinations are restricted.
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0
All these access-lists are used in NAT Exempt from specific source to destination.
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any
DMZ access-lists blocking connection to DMZ-BLOCKED and allowing 10.1.1.0 /24 to access anything.
You need to apply these access-lists on interface as well.
access-list <access-list name > in interface <interface name>
Prashant Joshi:-
11-06-2014 03:45 AM
After these applying, then i can allow only outlook traffic and my outlook port are configured at SSL port 995 and 465
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: