cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1726
Views
0
Helpful
25
Replies

Internet access for LAN user through inside to outside

Navaz Wattoo
Level 1
Level 1

Here are i want o access internet of my lan users having subnet 172.16.20.0/24

and inside firewall ip is 192.168.11.249/24

outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s

 

 

Navaz
25 Replies 25

Prashant Joshi
Cisco Employee
Cisco Employee

Hi,

 

Below is the required configuration on ASA:-

 

route inside 172.16.20.0 255.255.255.0 192.168.11.254

 

Nat  8.2

===========

nat(inside) 1 0 0

global(outside) 1 interface

 

Nat 8.3 +

 

object network internal_net
  subnet 172.16.20.0 255.255.255.0

!

object network internal_net
nat (inside,outside) dynamic interface

 

Thanks,

Prashant Joshi

 

 

I have Cisco Adaptive Security Appliance Software Version 8.2(5) 
Device Manager Version 6.4(5)

But its not working. Below is my configuration and I only now need my LAN user to allow internet through Inside to Outside. One thing is that 172.16.20.0/24 users gateway is 172.16.20.254 similarly 172.16.30.X/24 users gateway is 172.16.30.254 and 172.16.40.X/24 users gateway is 172.16.40.254, 172.16.50.X/24 users gateway is 172.16.50.254. Thanks for the reply.

Version of ASA

 

ASA Version 8.2(5)

!

 

hostname ACTIVE

domain-name dhalahore.org

enable password vXH3rdHwVuRbxQ3j encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

 

INTERFACE DETAILS

!

interface Ethernet0/0

 description Inside to the Core Switches 1

 duplex full

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

description Inside to the Core Switches 2

 duplex full

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 description Public Server - DMZ

 duplex full 

 nameif DMZ  

 security-level 50

 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!            

interface Ethernet0/3

 description Outside to the Internet via router

 duplex full 

 nameif Outside

 security-leLvel 0

 ip address 117.102.8.90 255.255.255.248 standby 117.102.8.91

!            

interface Management0/0

 description LAN/STATE Failover Interface

!            

interface Redundant1

 member-interface Ethernet0/0

 member-interface Ethernet0/1

INSIDE INTERFACE

 nameif inside

 security-level 100

 ip address 192.168.11.249 255.255.255.0 standby 192.168.11.250

!            

CREATE OBJECT FOR LAN NETWORKS

object-group network DMZ-BLOCKED-LAN-NETWORKS

 network-object 172.16.10.0 255.255.255.0

 network-object 172.16.20.0 255.255.255.0

 network-object 172.16.30.0 255.255.255.0

 network-object 172.16.40.0 255.255.255.0

 network-object 172.16.50.0 255.255.255.0

 

 

CREATE ACL FOR OUTSIDE TO INSIDE

access-list 102 extended permit tcp any host 117.102.8.90 eq www

access-list 102 extended permit tcp any host 117.102.8.90 eq 8888

access-list 102 extended permit tcp any host 117.102.8.90 eq https

access-list 102 extended permit tcp any host 117.102.8.90 eq telnet

access-list 102 extended permit tcp any host 117.102.8.90 eq pop3

access-list 102 extended permit tcp any host 117.102.8.90 eq smtp

 

CREATE ACL FOR THE LAN NETWORK TO ACCESS DMZ SERVERS

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 125.209.70.88 255.255.255.248

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0

access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0

 

CREATE ACL FOR THE DB SERVERS TO DMZ MEMBER AREA SERVER

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo

access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo

access-list DMZ-IN remark Block connections from DMZ to INSIDE networks

access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS

access-list DMZ-IN remark Allow all other traffic

access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any

access-list ICMP extended permit icmp any any

access-list SPLIT standard permit 192.168.0.0 255.255.0.0

NAT CONFIGURATION

nat-control  

CREATE NAT FOR THE INSIDE USER TO ACCESS

nat (inside) 0 access-list no-nat

CREATE NAT FROM OUTSIDE TO DMZ SERVER(FOR SPECIFIC PORTS OPEN)

static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255

static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255

static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255

static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255

 

CREATE NAT DMZ TO INSIDE(TO ACCESS THE LAN SPECIFIC USERS)

static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

 

ALLOW THE ACL 102 TO OUTSIDE INTERFACE

access-group 102 in interface Outside

 

CREATE ROUTE TO THE ACCESS FROM THE OUTSIDE INTERFACE

route Outside 0.0.0.0 0.0.0.0 125.209.70.89 1

 

 

 

CREATE ROUTE TO ACCESS FROM THE INSIDE INTERFACE (ALL VLAN,S INCLUDING APPLICATION,DB,LAN)

 

route inside 0.0.0.0 0.0.0.0 192.168.11.254 2

route inside 0.0.0.0 0.0.0.0 192.168.10.254 2

route inside 172.16.10.0 255.255.255.0 192.168.11.254 1

route inside 172.16.20.0 255.255.255.0 192.168.11.254 1

route inside 172.16.30.0 255.255.255.0 192.168.11.254 1

route inside 172.16.40.0 255.255.255.0 192.168.11.254 1

route inside 172.16.50.0 255.255.255.0 192.168.11.254 1

route inside 192.168.10.0 255.255.255.0 192.168.11.254 1

 

 

TO ACCESS INSIDE THROUGH ASDM

http server enable

http 192.168.11.0 255.255.255.0 inside

http 192.168.11.249 255.255.255.255 inside

TO TELNET INSIDE

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.11.254 255.255.255.255 inside

telnet 192.168.10.254 255.255.255.255 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 10

 

 

Navaz

 

You need to configure a PAT policy

 

General PAT and will be used by all inside users.

nat(inside) 1 0 0

global(outside) 1 interface

However, if you need to be specific

 

nat(inside) 1 72.16.20.0 255.255.255.0

global(outside) 1 interface

 

 

nat(inside) 1 72.16.30.0 255.255.255.0

global(outside) 1 interface

 

 

nat(inside) 1 72.16.40.0 255.255.255.0

global(outside) 1 interface

 

If still it didn't work, provide me below output :

 packet-tracer input inside tcp 172.16.20.10 5656 4.2.2.2 80 det

 

Thanks

Prashant Joshi

 

Its didnt work. I attached a files that you are required.

thanks

Navaz

configuration seems to be fine with ASA, packet tracer showing correct outputs.I

believe packets are not reaching the ASA.

 

Kindly provide me below captures.

cap capin interface inside match tcp ho <host ip> any

cap capout interface outside match tcp any any

sh cap capout

sh cap capin

 

Thanks,

Prashant Joshi

Please find the attached file . But in Inside interface of ASA a core switch 3750 exist and after that layer 2 switch 2960 exist where the LAN exist. 

Navaz

As expected internet traffic is not reaching the ASA, we can see only telnet traffic
( to ASA inside interface).

Have you configured a default route pointing to ASA on your 3750 switch ?

Thanks

Prashant Joshi

These are the routs add for at the core switch 3750

 

ip classless
ip route 0.0.0.0 0.0.0.0 221.120.216.153
ip route 5.5.5.0 255.255.255.0 192.168.11.249
ip route 10.1.1.0 255.255.255.0 192.168.10.249
ip route 10.1.1.0 255.255.255.0 192.168.11.249
ip route 172.16.20.0 255.255.255.0 192.168.10.249
ip http server

 

DC-Core1(config)#  do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     5.0.0.0/24 is subnetted, 1 subnets
S       5.5.5.0 [1/0] via 192.168.11.249
C    192.168.10.0/24 is directly connected, Vlan10
     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.50.0 is directly connected, Vlan80
C       172.16.40.0 is directly connected, Vlan70
C       172.16.30.0 is directly connected, Vlan60
C       172.16.20.0 is directly connected, Vlan50
C       172.16.10.0 is directly connected, Vlan10
C    192.168.11.0/24 is directly connected, Vlan11
     10.0.0.0/24 is subnetted, 1 subnets
S       10.1.1.0 [1/0] via 192.168.11.249
                 [1/0] via 192.168.10.249

Navaz

Below route is punting all the traffic to   221.120.216.153 , so we need to delete this route ip route 0.0.0.0 0.0.0.0 221.120.216.153

no ip route 0.0.0.0 0.0.0.0 221.120.216.153

We need to punt all the default traffic to ASA, so add below route.

ip route 0.0.0.0 0.0.0.0 192.168.11.249

 

in addition, if 172.16.20.0/24 is a directly connected network on 3750 we don't need below route

ip route 172.16.20.0 255.255.255.0 192.168.10.249

 

Thanks,

Prashant Joshi

 

 

Thanks its working. but now next step is to only allow outlook traffic from inside LAN to outside.

Navaz

You need to allow whatever subnets and respective ports you need...for example:-

 

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq 25

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq XY

access-list inside_out per tcp 172.16.20.0 255.255.255.0  any eq  YZ

 

access-group inside_out in interface inside

 

Thanks,

Prashant Joshi

Thanks josh but its not working.

 

I also different acl. can u verfied that its not create the prob

 

bject-group network DMZ-BLOCKED-LAN-NETWORKS
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.20.0 255.255.255.0
 network-object 172.16.30.0 255.255.255.0
 network-object 172.16.40.0 255.255.255.0
 network-object 172.16.50.0 255.255.255.0
access-list 102 extended permit tcp any host 117.102.8.90 eq www 
access-list 102 extended permit ip 5.5.5.0 255.255.255.0 any 
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888 
access-list 102 extended permit tcp any host 117.102.8.90 eq https 
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet 
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3 
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp 
access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo 
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo 
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS 
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any 
access-list ICMP extended permit icmp any any 
access-list SPLIT standard permit 192.168.0.0 255.255.0.0 

 

Navaz

access-list 102 extended permit tcp any host 117.102.8.90 eq www
access-list 102 extended permit tcp any host 117.102.8.90 eq 8888 
access-list 102 extended permit tcp any host 117.102.8.90 eq https 
access-list 102 extended permit tcp any host 117.102.8.90 eq telnet 
access-list 102 extended permit tcp any host 117.102.8.90 eq pop3 
access-list 102 extended permit tcp any host 117.102.8.90 eq smtp 

Above access-lists are allowing any source to access destination 117.102.8.90 on specific ports, rest all other destinations are restricted.

access-list no-nat extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.30.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.40.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 117.102.8.90 255.255.255.248 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.11.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0 
access-list no-nat extended permit ip 172.16.50.0 255.255.255.0 10.1.1.0 255.255.255.0 

All these access-lists are used in NAT Exempt from specific source to destination.

 

access-list DMZ-IN remark Allow ICMP from DMZ server to INSIDE server
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.18 echo 
access-list DMZ-IN extended permit icmp host 10.1.1.254 host 192.168.11.10 echo 
access-list DMZ-IN remark Block connections from DMZ to INSIDE networks
access-list DMZ-IN extended deny ip any object-group DMZ-BLOCKED-LAN-NETWORKS 
access-list DMZ-IN remark Allow all other traffic
access-list DMZ-IN extended permit ip 10.1.1.0 255.255.255.0 any 

DMZ access-lists blocking connection to DMZ-BLOCKED and allowing 10.1.1.0 /24 to access anything.


You need to apply these access-lists on interface as well.

access-list <access-list name > in interface <interface name>

 

Prashant Joshi:-

 

 

 

After these applying, then i can allow only outlook traffic and my outlook port are configured at SSL port 995 and 465

Navaz
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: