09-26-2010 09:20 PM - edited 03-11-2019 11:45 AM
Hi Team,
I have just configred ASA 5520 and put it in production, and every thing seems to work except i can not access the hosts on the inside network from OUTSIDE.
When i run Packet Tracer command from ASDM it tells me NAT is an issue, i have tried few comobinations but struggling to get it working and trying to work out what i might have missed.
OUTSIDE IP: x.x.x.196
Outside IP Ueseable Range provided by the SP: x.x.x.197,x.x.x.198, and so on
Configuraion
================
name 10.10.10.10 ABA-Pilot description ABA-Pilot Server
name 10.10.10.11 ABA-NAS description ABACisco NAS Device
name 192.168.0.0 dmz description DMZ LAN
name 10.10.10.0 inside description Inside LAN
name x.x.x.192 internet description Outside Network
name 10.100.100.0 managment description Managenet LAN
!
interface GigabitEthernet0/0
description Connection to the Internet
nameif outside
security-level 100
ip address x.x.x.196 255.255.255.240
!
interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 0
ip address 10.10.10.254 255.255.255.0
!
access-list inside_access_in remark Access to Internet
access-list inside_access_in extended permit ip inside 255.255.255.0 any
access-list dmz_access_in remark Access to Internet
access-list dmz_access_in extended permit ip dmz 255.255.255.0 any
access-list outside_access_in extended permit icmp any host ABA-Pilot
access-list outside_access_in extended permit tcp any host ABA-NAS object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host ABA-Pilot object-group ABA-pilot
access-list outside_access_in remark Management Access from Outside
access-list outside_access_in extended permit tcp any interface outside object-group Management-Access
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 outside
nat (dmz) 2 dmz 255.255.255.0 outside
static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
=========================================
Any help greatly appriciated
Solved! Go to Solution.
09-26-2010 09:38 PM
The following commands have been configured the other way round:
static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255
Please kindly remove the above and change it to the following:
static (inside,outside) tcp x.x.x.198 3389 ABA-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https ABA-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www ABA-Pilot www netmask 255.255.255.255
static (inside,outside) x.x.x.197 ABA-NAS netmask 255.255.255.255
After the above changes, please clear the xlate: clear xlate
Also your "outside_access_in" the destination address should be the public ip address (NATed address), not the private ip address.
For example the following line:
access-list outside_access_in extended permit icmp any host ABA-Pilot
It should be towards the public ip address (x.x.x.198), not the private IP (ABA-Pilot - 10.10.10.10)
Hope that helps.
09-26-2010 09:38 PM
The following commands have been configured the other way round:
static (outside,inside) tcp ABA-Pilot 3389 x.x.x.198 3389 netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot https x.x.x.198 https netmask 255.255.255.255
static (outside,inside) tcp ABA-Pilot www x.x.x.198 www netmask 255.255.255.255
static (outside,inside) ABA-NAS x.x.x.197 netmask 255.255.255.255
Please kindly remove the above and change it to the following:
static (inside,outside) tcp x.x.x.198 3389 ABA-Pilot 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 https ABA-Pilot https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.198 www ABA-Pilot www netmask 255.255.255.255
static (inside,outside) x.x.x.197 ABA-NAS netmask 255.255.255.255
After the above changes, please clear the xlate: clear xlate
Also your "outside_access_in" the destination address should be the public ip address (NATed address), not the private ip address.
For example the following line:
access-list outside_access_in extended permit icmp any host ABA-Pilot
It should be towards the public ip address (x.x.x.198), not the private IP (ABA-Pilot - 10.10.10.10)
Hope that helps.
09-26-2010 09:47 PM
Thanks for your Excellent Help on this, My issue has been resolved.
Cheers Again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide