07-01-2014 04:43 AM - edited 03-11-2019 09:24 PM
Hi Friends
Please guide me if my configuration is ok. I amnot able to ping the public ip throughthe ASA resulting in failure to login to the sip server.
I need to nat the inside network to outside.
Nat required between
88.55.164.10 to 101.164.50.50
88.55.164.11 to 101.164.50.25
Please note the version of ASA below:
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.1(6)
I have configured as below
access-list 200 extended permit tcp any host 88.55.164.10
access-list 200 extended permit tcp any host 88.55.164.11
access-group 200 in interface outside
object network obj_sip-101.164.50.50
host 101.164.50.50
object network obj_sip_1-101.164.50.25
host 101.164.50.25
object network obj_sip-101.164.50.50
nat (inside,outside) static 88.55.164.10
object network obj_sip_1-101.164.50.25
nat (inside,outside) static 88.55.164.11
Regards,
Ahmed
Solved! Go to Solution.
07-01-2014 06:05 AM
At first glance you do not have any ACLs applied that allow access from the outside in. You would need to add the following commands:
no access-list outside_access_in extended permit ip host 88.55.164.10 any
no access-list outside_access_in extended permit ip any host 88.55.164.10
access-list outside_access_in extended permit ip any host 101.164.50.25
access-list outside_access_in extended permit ip any host 101.164.50.50
access-group outside_access_in in interface outside
Keep in mind that you will now be allowing all traffic in to those hosts. If possible it would be best to identify the exact ports that you need to have opened and only open for those ports.
Add these commands and then test.
--
Please remember to select a correct answer and rate helpful posts
07-01-2014 06:28 AM
07-01-2014 05:03 AM
Folks, please help me in sorting this out as I need to settle this down today
07-01-2014 05:38 AM
When you are saying that you can not ping the public IP through the ASA, which IP are you trying to ping?
Are you able to ping the internet from any of those two servers (50.50 and 50.25)?
could you issue the following packet tracer on the ASA:
packet-tracer input inside tcp 101.164.50.25 12345 4.2.2.2 5060 detail
packet-tracer input inside tcp 101.164.50.50 12345 4.2.2.2 5060 detail
Could you please post the full ASA configuration (sanitised)? I feel it is easier to troubleshoot when seeing the whole picture.
--
Please remember to select a correct answer and rate helpful posts
07-01-2014 05:56 AM
07-01-2014 06:05 AM
At first glance you do not have any ACLs applied that allow access from the outside in. You would need to add the following commands:
no access-list outside_access_in extended permit ip host 88.55.164.10 any
no access-list outside_access_in extended permit ip any host 88.55.164.10
access-list outside_access_in extended permit ip any host 101.164.50.25
access-list outside_access_in extended permit ip any host 101.164.50.50
access-group outside_access_in in interface outside
Keep in mind that you will now be allowing all traffic in to those hosts. If possible it would be best to identify the exact ports that you need to have opened and only open for those ports.
Add these commands and then test.
--
Please remember to select a correct answer and rate helpful posts
07-01-2014 06:23 AM
bingo, thank you so much. resolved
07-01-2014 06:28 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: