unable to access ASA inside network from outside

clickasif · ‎03-05-2014

Hi

I am new in Cisco Security, I am unable to access inside network from outside of ASA 5505.

my outside interface connected to L3 switch with no switchport having IP address 172.16.50.1 and ASA outside interface IP 172.16.50.2. Inside interface IP 10.29.50.250 and internal network is 10.29.50.0/24. For testing I did allow all traffic from all interfaces.See NW design (IP may wrong on this visio)

I did able to ping all my networks from ASA inside network but once I try to reach internal ASA network 10.228.50.0 didn't succeeded. see from scren-shot from 10.227.0.0/21 client.

I am also annexing ASA configuration for your kind of review and apt solution.

Thanks in advance.

cadet alain · ‎03-05-2014

Hi,

Can you try this:

static(inside,outside) 10.29.250.0 10.29.250.0

Regards

Alain

Don't forget to rate helpful posts.

clickasif · ‎03-05-2014

Hi

Thanks for your input. Did you mean

static (inside,outside) 10.29.50.250 10.29.50.250

or

static(inside,outside) 10.29.50.0 10.29.50.0

I both try but no luck.

Best Regards

clickasif · ‎03-06-2014

Hi

Anyone can help me out to coup this task.

Best Regards

clickasif · ‎03-12-2014

Any Champ to help me out

johnlloyd_13 · ‎03-13-2014

hi,

i'm not clear whether your inside network is 10.29.50.0 /24 or 10.228.50.0 /24, could you confirm?

i would suggest to do below:

interface Vlan2
ip address 172.16.50.2 255.255.255.0

nat (inside,outside) 172.16.50.0 10.29.50.0 255.255.255.0

access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 echo
access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 time-exceeded
access-list outside_in extended permit icmp any 10.29.50.0 255.255.255.0 unreachable

Poonam Garg · ‎03-13-2014

Hi,

You are using dynamic NAT for inside network, which is always unidirectional. Traffic only get translated when generated from an inside network. For outside people it always seems coming from ASA outside interface ip address. You can not generate traffic for real inside ip address using dynamic NAT.

Either use static NAT (one to one mapping) or one solution is to use remote access VPN to get to internal networks of ASA or remove NAT all together if ip addresses are routable.

"Please rate helpful posts"

clickasif · ‎03-16-2014

Hi

Thanks John & Poonam for your valueable input. Sorry for delay response as I was on off.

John our Industrial NW 10.29.50.0/24 is absolutely seperate from our core NW 10.227.0.0/21. for specific project We req to connect our few industrial clients to our EDC servers to fetch and negotiate performance data. That required two way communication. Communication from inside NW 10.29.50.0 is absolutely fine (see trace.png) but once I try to reach the 10.29.50.0 from core NW 10.227.0.0 it will not allow (see erro.png) where outside interface got response but inside interf didn't.

I did try to apply your mentioned command nat (inside,outside) 172.16.50.0 10.29.50.0 255.255.255.0 but it gives erro (see nat_error) but staic (inside,outside) can apply (see Static.png) but still I am unable to get the response from inside NW. If you deem I can share you my core NW design and detail which may all of you to help me out from this situation.