Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4806
Views
0
Helpful
7
Replies

NAT (INSIDE To OUTSIDE)

Go to solution
Navaz Wattoo
Level 1
Level 1

‎07-04-2013 11:18 PM - edited ‎03-11-2019 07:07 PM

I need Configuration of this topology

At Outside Router

int f0/0

ip add 10.1.1.2 255.255.255.0

At Inside Router

int f0/0

ip add 192.168.1.2 255.255.255.0

At ASA

int e0

ip add 10.1.1.1 255.255.255.0

int e1

ip add 192.168.1.1 255.255.255.0

I want NAT from inside to outside and also need ACL configuration and attached diagram.

and version of ASA is 8.2

Navaz       

Message was edited by: Navaz Wattoo

Navaz
1 person had this problem
Labels:
Preview file
18 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pankaj29in
Level 1
Level 1
In response to Navaz Wattoo

‎07-05-2013 06:12 AM

static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255

access-group OUT in interface outside

Remove above 2 commands and yes it will work .

Cheers

Pankaj

Remember to rate helpful answers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
pankaj29in
Level 1
Level 1

‎07-04-2013 11:52 PM

Static NAT

Nat (inside,outside) 10.1.1.1 192.168.1.1.

Dynamic NAT

nat ( inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface --------------- (PAT)

or

global (outside) 1 10.1.1.1-252 (its depend on your subnet as your /24 in betwen router and firewall)

global (outside) 1 10.1.1.254

ACL requirement depends on your requirement , what exactly you want to achieve, although in this case traffice will traverse from higher to lower so you do not need ACL here.

If you to access from outside to inside ACL would be

access-list Outside_in extended permit tcp any

access-group Outside_in in interface outside.

Regards

Pankaj

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to pankaj29in

‎07-05-2013 03:49 AM

i need packets from inside to outside

Navaz

Navaz
0 Helpful

Go to solution
pankaj29in
Level 1
Level 1
In response to Navaz Wattoo

‎07-05-2013 04:09 AM

although in this case traffice will traverse from higher to lower so you do not need an ACL here.

Cisco ASA by deault allow your inside traffic to Outside if your configuration is proper.

Do remember to rate helpful post.

Cheers!!

Pankaj

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to pankaj29in

‎07-05-2013 04:39 AM

with this confiugration can i send packets from inside to outside?

Navaz

Navaz
0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to Navaz Wattoo

‎07-05-2013 05:07 AM

THIS MY ASA CONFIGURATION

ciscoasa(config)# sh running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUT extended permit tcp any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255

access-group OUT in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ciscoasa(config)#

THIS MY OUTSIDE ROUTER CONFIGURATION

R1(config)#do sh run

Building configuration...

Current configuration : 877 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip cef

!

no ip domain lookup

ip domain name lab.local

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip route 192.168.1.0 255.255.255.0 10.1.1.1

no ip http server

no ip http secure-server

!

logging alarm informational

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

!

end

R1(config)#


THIS MY INSIDE ROUTER CONFIGURATION

R2(config)#do sh run

Building configuration...

Current configuration : 880 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip cef

!

no ip domain lookup

ip domain name lab.local

!

multilink bundle-name authenticated

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip route 10.1.1.0 255.255.255.0 192.168.1.1

no ip http server

no ip http secure-server

!

logging alarm informational

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

!

end

R2(config)#


Navaz

Navaz
0 Helpful

Go to solution
pankaj29in
Level 1
Level 1
In response to Navaz Wattoo

‎07-05-2013 06:12 AM

static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255

access-group OUT in interface outside

Remove above 2 commands and yes it will work .

Cheers

Pankaj

Remember to rate helpful answers.

0 Helpful

Go to solution
Navaz Wattoo
Level 1
Level 1
In response to pankaj29in

‎07-10-2013 11:14 PM

Thanks a lot

Navaz

Navaz
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card