Re: Traffic to different wan ip's - Page 2

m1kkel1984 · ‎05-04-2010

Hello guys.

I have asa5510 sec plus.

Im new to cisco.

WAN IP: 77.68.136.96 - 77.68.136.102

Is it possible to send traffic from internal host like: 192.168.10.31 out through another WAN ip than the one bound to interface "outside" ?

I tried it with this command:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255

and so on

But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?

m1kkel1984 · ‎05-17-2010

Ok i understand the global rule now.

Regarding the port 25 to the same ip address - how do we fix it then?

We have like 12 wan ip's where email (port 25) is comming to. All mail should be sent to internal ip 192.168.10.34 regardless of originating wan ip.

What to do ?

m1kkel1984 · ‎05-17-2010

Hello once again.

I think i know how to send all smtp traffic to one internal ip.

static (dmz,outside) tcp interface 25 192.168.10.34 25 netmask 255.255.255.255

So i fixed my conf a little, fixed the rules that were failing, and the global rules. Please check again.

I also ran the commands just suggested, and here's the output.

ciscoasa(config)# sh run nat
nat (inside) 0 access-list NCT-DMZ
nat (inside) 1 192.168.0.0 255.255.255.0
nat (DMZ) 2 192.168.10.31 255.255.255.255
nat (DMZ) 4 192.168.10.34 255.255.255.255
nat (DMZ) 3 192.168.10.40 255.255.255.255
nat (DMZ) 3 192.168.10.41 255.255.255.255
nat (DMZ) 5 192.168.10.42 255.255.255.255
nat (DMZ) 6 192.168.10.43 255.255.255.255
nat (DMZ) 7 192.168.10.45 255.255.255.255
nat (DMZ) 8 192.168.10.46 255.255.255.255
nat (DMZ) 8 192.168.10.47 255.255.255.255
nat (DMZ) 8 192.168.10.50 255.255.255.255
nat (DMZ) 8 192.168.10.51 255.255.255.255
nat (DMZ) 8 192.168.10.52 255.255.255.255
nat (DMZ) 8 192.168.10.53 255.255.255.255
nat (DMZ) 8 192.168.10.54 255.255.255.255
nat (DMZ) 1 192.168.10.0 255.255.255.0

ciscoasa(config)# sh run static
static (inside,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.0.2 1433 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 www 192.168.10.31 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 https 192.168.10.31 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 3389 192.168.10.31 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 www 192.168.10.40 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 https 192.168.10.40 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 3389 192.168.10.41 3389 netmask 255.255.255.255
static (DMZ,outside) tcp interface smtp 192.168.10.34 smtp netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.100 3389 192.168.10.42 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 www 192.168.10.43 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 https 192.168.10.43 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 3389 192.168.10.43 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 www 192.168.10.45 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 https 192.168.10.45 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 3389 192.168.10.45 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 www 192.168.10.47 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 https 192.168.10.47 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 3389 192.168.10.50 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 8093 192.168.10.51 8093 netmask 255.255.255.255

Hmm should the first 4 static come ind the end ??

ciscoasa(config)# sh run global
global (outside) 2 77.68.136.97 netmask 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255
global (outside) 4 77.68.136.99 netmask 255.255.255.255
global (outside) 5 77.68.136.100 netmask 255.255.255.255
global (outside) 6 77.68.136.101 netmask 255.255.255.255
global (outside) 7 77.68.136.32 netmask 255.255.255.255
global (outside) 8 77.68.136.33 netmask 255.255.255.255
global (outside) 1 interface

How does this look?

Ive attached my new and refined config.

Jennifer Halim · ‎05-17-2010

The NAT statements definitely look perfect, where the more specific ones are at the top, with the most general one right at the bottom.

With the static translation, the first 4 lines do not need to be moved anywhere. It's been correctly configured.

m1kkel1984 · ‎05-17-2010

That is just amazing!

Thank you very much.

Now lets say that my spamgateway (192.168.10.34) needs to be able to communicate with 192.168.0.2 (on inside) interface, ive just created this rule:

!######################ACCESS TIL NCT FRA PROOFPOINT################
access-list DMZ-NCT extended permit ip 192.168.10.34 255.255.255.255 192.168.0.2 255.255.255.255
access-group DMZ-NCT in interface inside

Is this also correctly configured?

Jennifer Halim · ‎05-18-2010

No, since the traffic originates from DMZ, you would need to add the ACL on your current DMZ access-list which is called DMZ-PING as follows:

access-list DMZ-PING extended permit ip host 192.168.10.34 host 192.168.0.2

Plus you also need to have the following static statement:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

m1kkel1984 · ‎05-18-2010

"Plus you also need to have the following static statement:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0"

I assume you mean;

Static (inside,dmz) 192.168.0.2 192.168.10.34 netmask 255.255.255.255

??