Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outside to Inside with NAT

Hyi have face problem regradin traffic from outside to insdie having applying acl below here

access-list 101 permit ip any any

APPLY on outside interface

access-group 101 in interface outside

but my traffice didnt pass through from outside to indie

Navaz       

Navaz
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Outside to Inside with NAT

Hi

I think that you can use.

21 REPLIES
VIP Purple

Re: Outside to Inside with NAT

can you exactly describe what you want to allow on your ASA? Which is the ASA-version you are running and can the ASA reach the internet and the internal server that you want to expose to the internet? The actual config can also help.

And "permit ip any any" is most likely not what you want to use on a firewall.


Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Outside to Inside with NAT

Version 8.0(2) and ASA ping both sides (outside to internet and inside to internal network).

Here is the show running configuration

ASA(config)# sh running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 10.1.1.30

nat (inside) 1 192.168.1.0 255.255.255.0

access-group 101 in interface outside

access-group 101 in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:a910fcee5200493f2ed21db7bd2f82d6

: end

ASA(config)#

Navaz

Message was edited by: Navaz Wattoo

Navaz
VIP Purple

Re: Outside to Inside with NAT

So it's not a real network but learning how to operate the ASA?

You should start with NAT and think about if you really need NAT. In your diagram inside and outside should have full routing reachability, so NAT is not needed.

On the Config-Guide you find all info how NAT works on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

start with the commands "nat", "global" and "nat-control". For your case, all of these can be removed from the config and reachability should be there.

If you want to simulate a situation where the outside interface connects to the internet you need to configure a ststic translation and you should keep the "nat" and "global". The additional config you need is a "static" command.

After that go over to the configuration of access-control:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/nwaccess.html

You don't want to allow any traffic into your network.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Outside to Inside with NAT

Hi,

Check routing , i dont see any.

- Pankaj

VIP Purple

Outside to Inside with NAT

the systems in this scenario are directly connected so there is no need for an extra routing-config. Of course you are right if this would be an internet-connected setup. There at least a default-route would be needed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Silver

Outside to Inside with NAT

Have a look here:

http://www.darkmoon.org.uk/173

Regards Simon
http://www.linksysinfo.org

Regards Simon http://www.linksysinfo.org
New Member

Re: Outside to Inside with NAT

Hello Navaz,
Along with routing and the ACL, you will also need to have a static xlate configured to allow the inbound traffic. I don't see that in your configuration.

Sent from Cisco Technical Support iPad App

New Member

Re: Outside to Inside with NAT

can you please send me the xlate configuration?

Navaz

Navaz
New Member

Re: Outside to Inside with NAT

It should look like this:
Static (inside,outside) 192.168.1.0 192.168.1.0 net mask 255.255.255.0

I'm not sure what your topology is, but you will have to be able to route to the 192.168.1.0 network from your outside host(s).

Sent from Cisco Technical Support iPad App

New Member

Re: Outside to Inside with NAT

Sorry, no space in the netmask keyword. The iPad auto correct strikes again... :-)

Sent from Cisco Technical Support iPad App

New Member

Re: Outside to Inside with NAT

David i am sending you topology and the configuration that i configured.

ASA(config)# sh running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 10.1.1.30

nat (inside) 1 192.168.1.0 255.255.255.0

static (outside,inside) 10.1.1.30 10.1.1.2 netmask 255.255.255.255

access-group 101 in interface outside

access-group 101 in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:a910fcee5200493f2ed21db7bd2f82d6

: end

ASA(config)#

Navaz

Navaz
New Member

Re: Outside to Inside with NAT

anyone have solution of this?

Navaz

Navaz
Silver

Re: Outside to Inside with NAT

what traffic (ports) are you try to let in from outside in and to where?

Regards Simon
http://www.linksysinfo.org

Regards Simon http://www.linksysinfo.org
New Member

Re: Outside to Inside with NAT

i need any kind of traffice pass through both side that from inside to outside and outside to inside

Thanks and Regards

Navaz

Navaz

Re: Outside to Inside with NAT

Hello Navaz,

I think we are confused here.

We all asume this is just for testing purposes.

If what you want is to allow all traffic traversing the ASA from out in, in out

No nat-control

no global (outside) 1 10.1.1.30

no nat (inside) 1 192.168.1.0 255.255.255.0

no static (outside,inside) 10.1.1.30 10.1.1.2 netmask 255.255.255.255

Leave the ACL configuration u have so far and then you will have a Firewall configured to act as No Firewall hehe weird enough!

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Outside to Inside with NAT

Hi,

Check the routes on your routers, even it is directly connected but you need a route on each router for the other subnet behind the firewall.

OR

You can configure static xlate on the firewall to reach the internal subnet usind a direct natted IP from the external range

Thanks, Anas *--* Please rate the useful post,its free ;) *--*
New Member

Re: Outside to Inside with NAT

i am sending you my NAT configuration

nat-control  

global (outside) 1 10.1.1.10

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 10.1.1.2 192.168.1.2 netmask 255.255.255.255

access-group 101 in interface outside

access-group 101 out interface inside

And Routes at Inside Router

S       10.1.1.2 [1/0] via 192.168.1.1

C    192.168.1.0/24 is directly connected, GigabitEthernet0/0

And Routes at Outside Router

C       10.1.1.0 is directly connected, GigabitEthernet0/0

     192.168.1.0/32 is subnetted, 1 subnets

S       192.168.1.2 [1/0] via 10.1.1.1

Problem is:

               The problem is that i cant ping from outside to inside.


Navaz

Navaz
New Member

Outside to Inside with NAT

Hi,

Option 1:

     No nat-control

     using ACL for permit and static route for routing

Option 2

nat con-trol

using nat0 (exempt).

New Member

Re: Outside to Inside with NAT

can i use static nat for low to high and nat globle for hihg to low?

Navaz

Navaz
New Member

Re: Outside to Inside with NAT

Hi

I think that you can use.

New Member

Re: Outside to Inside with NAT

can you send me the configuration?

Navaz

Navaz
734
Views
0
Helpful
21
Replies
CreatePlease login to create content