10-20-2014 08:47 PM - edited 03-11-2019 09:57 PM
Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.
10-21-2014 02:05 AM
Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia
10-21-2014 03:42 AM
Thanks Vibhor
Attached updated diagram
1. In this diagram dmz server having ip 10.1.1.103/24 is the proxy server for the internet on LAN users and i need only https or http trafice allow from the dmz server.
2. For outlook of the lan user need to allow from inside to outside only microsoft outlook traffice.
and ASA Version 8.2(5)
These two are the requirement.
Thanks
10-21-2014 03:44 AM
Hi,
As per your requirements:-
1) You can restrict the traffic using the interface ACL's and only allow 80 and 443 traffic through the ASA device. This you can apply on the DMZ interface.
2) For this , i think you might need to port forward 443 and 25 Port from the Public IP to the Microsoft Server or you can also apply a one-one NAT on the ASA device and allow the ACL on the outside interface.
Let me know if you have any other queries.
Thanks and Regards,
Vibhor Amrodia
10-21-2014 03:55 AM
Please define the configuration of these two points.
Thanks
10-21-2014 04:08 AM
Hi,
1) access-list DMZ-To-outside permit tcp any any eq 80
access-list DMZ-To-outside permit tcp any any eq 443
access-list DMZ-To-outside deny ip any any
2) object network Outlook
host <Private IP>
nat (inside,outside) static interface service tcp 25 25
object network Outlook-Https
host <Private IP>
nat (inside,outside) static interface service tcp 443 443
Thanks and Regards,
Vibhor Amrodia
10-21-2014 04:25 AM
It gives error
ACTIVE(config)# host 172.16.20.42
ERROR: Invalid hostname: '172.16.20.42'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ACTIVE(config)#
10-21-2014 04:34 AM
Hi,
You don't have to exit out of the object sub configuration.
ACTIVE(config-obj)# host 172.16.20.42
ACTIVE(config-obj)# nat (inside,outside) static interface service tcp 443 443
Thanks and Regards,
Vibhor Amrodia
10-21-2014 04:38 AM
Now got this error
ACTIVE(config)# object network Outlook
ACTIVE(config-network)# host 172.16.20.42
ERROR: Invalid hostname: '172.16.20.42'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ACTIVE(config)#
10-21-2014 04:44 AM
Hi,
Which version are you using on the ASA device ?
This should like this:-
ciscoasa(config)# object network outlook
ciscoasa(config-network-object)# host 172.16.20.42
ciscoasa(config-network-object)#
Thanks and Regards,
Vibhor Amrodia
10-21-2014 04:53 AM
Same result but version is below
ASA5510
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
10-21-2014 06:23 PM
Hi,
Yes , so as i pointed out earlier , this is not available on ASA 8.2.
Thanks and Regards,
Vibhor Amrodia
10-21-2014 08:32 PM
Then how can i configure his ASA , please provide the solution.
10-21-2014 09:26 PM
Hi,
I would request you to add the details correctly in the post for us to assist you with your queries.
In the Post Header, you mentioned the Software Code as ASA 8.4.2.
In the ASA 8.2.5 , this would be the configuration:-
1) access-list DMZ-To-outside permit tcp any any eq 80
access-list DMZ-To-outside permit tcp any any eq 443
access-list DMZ-To-outside deny ip any any
2)
static (inside,outside) tcp interface <Private IP> 25 25
static (inside,outside) tcp interface <Private IP> 443 443
access-list outside-inside permit tcp any interface outside eq 25
access-list outside-inside permit tcp any interface outside eq 443
Also , as you would be forwarding the port 443 from the ASA Outside interface IP , please change the port that the ASA listens on for ASDM:-
http server enable 4443
Thanks and Regards,
Vibhor Amrodia
10-21-2014 10:37 PM
in point 2
i configure the nat outside to inside
tatic (inside,outside) tcp interface 172.16.20.0 25 25
static (inside,outside) tcp interface 172.16.20.0 443 443
access-list outside-inside permit tcp any interface outside eq 25
access-list outside-inside permit tcp any interface outside eq 443
But its not working andi configure outlook at SSL ports 995 and 465 but its not working even not pinging also and my pc ip address is 172.16.20.42/24
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide