03-05-2014 12:13 AM - edited 03-11-2019 08:53 PM
Hi
I am new in Cisco Security, I am unable to access inside network from outside of ASA 5505.
my outside interface connected to L3 switch with no switchport having IP address 172.16.50.1 and ASA outside interface IP 172.16.50.2. Inside interface IP 10.29.50.250 and internal network is 10.29.50.0/24. For testing I did allow all traffic from all interfaces.See NW design (IP may wrong on this visio)
I did able to ping all my networks from ASA inside network but once I try to reach internal ASA network 10.228.50.0 didn't succeeded. see from scren-shot from 10.227.0.0/21 client.
I am also annexing ASA configuration for your kind of review and apt solution.
Thanks in advance.
03-05-2014 03:14 AM
Hi,
Can you try this:
static(inside,outside) 10.29.250.0 10.29.250.0
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 03:51 AM
Hi
Thanks for your input. Did you mean
static (inside,outside) 10.29.50.250 10.29.50.250
or
static(inside,outside) 10.29.50.0 10.29.50.0
I both try but no luck.
Best Regards
03-06-2014 08:29 PM
Hi
Anyone can help me out to coup this task.
Best Regards
03-12-2014 10:43 PM
Any Champ to help me out
03-13-2014 12:19 AM
hi,
i'm not clear whether your inside network is 10.29.50.0 /24 or 10.228.50.0 /24, could you confirm?
i would suggest to do below:
interface Vlan2
ip address 172.16.50.2 255.255.255.0
nat (inside,outside) 172.16.50.0 10.29.50.0 255.255.255.0
access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 echo
access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 time-exceeded
access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 unreachable
03-13-2014 06:13 AM
Hi,
You are using dynamic NAT for inside network, which is always unidirectional. Traffic only get translated when generated from an inside network. For outside people it always seems coming from ASA outside interface ip address. You can not generate traffic for real inside ip address using dynamic NAT.
Either use static NAT (one to one mapping) or one solution is to use remote access VPN to get to internal networks of ASA or remove NAT all together if ip addresses are routable.
"Please rate helpful posts"
03-16-2014 11:59 PM
Hi
Thanks John & Poonam for your valueable input. Sorry for delay response as I was on off.
John our Industrial NW 10.29.50.0/24 is absolutely seperate from our core NW 10.227.0.0/21. for specific project We req to connect our few industrial clients to our EDC servers to fetch and negotiate performance data. That required two way communication. Communication from inside NW 10.29.50.0 is absolutely fine (see trace.png) but once I try to reach the 10.29.50.0 from core NW 10.227.0.0 it will not allow (see erro.png) where outside interface got response but inside interf didn't.
I did try to apply your mentioned command nat (inside,outside) 172.16.50.0 10.29.50.0 255.255.255.0 but it gives erro (see nat_error) but staic (inside,outside) can apply (see Static.png) but still I am unable to get the response from inside NW. If you deem I can share you my core NW design and detail which may all of you to help me out from this situation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide