Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

                   Hi,

I got the NAT problem setup in Ver 9.1(1).

object network outside-net

host 10.50.10.10

object network inside-net

host 192.168.1.10

nat (inside,outside) dynamic interface

object network www

host 192.168.1.10

nat (inside,outside) static outside-net service tcp 80 80

access-list acl-in permit ip any any

access-list acl-out permit ip any any

access-group acl-in in interface outside

access-group acl-out out interface inside

I can access internet from inside lan .

But the web server cant be accessed from internet.

The problem exist in ver 9.1 (1), but not in Ver 8.4.

Pls kindly help.

Thanks

Paul

19 REPLIES
New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi All,

Actually, I only want a simple configuration.

inside network = 192.168.1.0/24

outside network = 10.50.10.0/27

Inside all can access to the internet.

and we only have one web server inside = 192.168.1.10.

this can be done in ver8.x but not in 9.1(1).

pls help.

Re: Problem setting up cisco ASA 5515 Ver 9.1(1)

Hello Mw,

So here is the thing

Let's say the internal server will be 4.2.2.2 on the outside OK?

nat (inside,outside) after-auto dynamic any interface

object network Internal-Server

host 192.168.1.10

Object network Outside-Server

host 4.2.2.2

nat (inside,outside) source static Internal-Server Outside-Server

access-list out-in permit tcp any host 192.168.1.10 eq 80

access-group out-in in interface outside

That's it, a configuration from scratch for free Now remember to always rate the helpful posts hehe

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi Julio,

Thanks for your reply. I'll try tmr and reply.

thx again

mw

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi,

not work.

below is my config.

hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.50.10.215 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.217
host 10.50.10.217
access-list acl-in extended permit udp any object obj-172.25.20.21
access-list acl-in extended permit tcp any host 172.25.20.21 eq www
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217
!
nat (inside,outside) after-auto source dynamic any interface
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.50.10.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
<--- More --->
             
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:d829d2da705abcd074c24febefa1b369
: end

pls help.

mw

Hall of Fame Super Gold

Re: Problem setting up cisco ASA 5515 Ver 9.1(1)

Wrong forum, post in "Security - Firewalling". You can move your posting using the Actions panel on the right.
New Member

Re: Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi Paolo,

Thanks.

But where is the action panel?

mw

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi mw,

nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217 is wrong, no "obj-210.3.166.217" is seen from your posted configuration.

follow what jcarvaja mentioned to configure the static nat rule, it should work.

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Thx for your reply Xie,

The obj-210.3.166.217 should be replaced by  object network obj-10.50.10.217.

so, that rules also has an correct object.

but still does not work...........

the same config is work in ver 8.x.

thx

mw.

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

@

mw lam

Hello you etiher need to have both way NAT or manually change it to (outside,inside)

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi,

thx for your reply.

However, I can go out to internet from inside by apply the following config:

ciscoasa(config)# sh run object
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.216
host 10.50.10.216

ciscoasa(config)# sh run nat
nat (outside,inside) source static obj-10.50.10.216 obj-172.16.20.21
!
nat (inside,outside) after-auto source dynamic any interface

ciscoasa(config)# sh run access-list
access-list outside_access_in extended permit icmp any object obj-10.50.10.216
access-list outside_access_in extended permit tcp any host 172.16.20.21 eq www
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

ciscoasa(config)# sh run access-group
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

But still cant access to the web server of the object obj-172.26.20.21.

I read the post before in the forum , I also issue the command "sysopt noproxyarp outside" but also in vain.

Pls help.

mw.

One more thing. I do packet tracer, there is no problem from inside to outside. But fail from outside to inside in the step nat rules........

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Config looks fine.let me ask you are u trying to access website from ur inside network using a web browser ?

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

thx for your reply.

yes, I can access through browser and I can ping the domain , too. eg. ping www.yahoo.com......

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi Lam,

Found this in your configuration

"no arp permit-nonconnected"

Try removing this by

"arp permit-nonconnected"

Let me know if it worked...

Cheers,

Naveen

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

alright, will try and let you know asap.

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hello,

U are not using the NAT command I provided......

If you use a ip address that is not on the same subnet than the ASA you need the command that Naveen provided it.

If you use the NAT statement that I provided there is no need for that command.

Again, Try the exact same configuration that I use Nat from inside to outside, and post the entire configuration.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi,

the config has been attached. pls comment.


:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.50.10.215 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.25.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network internal-server
host 172.25.20.20
object network outside-server
host 10.50.10.216
access-list out-in extended permit tcp any host 172.25.20.20 eq www
access-list out-in extended permit icmp any host 172.25.20.20
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source static internal-server outside-server
!
nat (inside,outside) after-auto source dynamic any interface
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.50.10.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy

telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:2986fa151b9a81facc9113e56e262fc0

Thanks

mw

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

ok just keep in your mind if you are trying to access your websites public ip using your internet access its not going to work. because public ip for your website is not assigned to the device and its from same pool as your outside interface. did you tried accesing your site from completlty different network ?

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Hi Arsen,

Now I only setup as simple as it is.

adsl <-- cisco asa <--  2 pc.

I can ping and browse the web between the 2 pc.

the outside subnet is 10.50.10.192/27.

thx

mw.

New Member

Problem setting up cisco ASA 5515 Ver 9.1(1)

Dear all,

the firewall finally has been done though its just now one-one mapping.

The problem may be caused by the uplink........

need to clarify with the provider on tmr.

sorry !!

mw.

627
Views
0
Helpful
19
Replies