cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
764
Views
0
Helpful
8
Replies

NAT 8.4(2) NAT Outside to inside and inside to outiside

Navaz Wattoo
Level 1
Level 1

I want to use internet through this.

I attached a diagram and also define the public and private ip,s

also show version of the ASA 5520

ciscoasa# sh version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 6 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab45.d200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab1e.9401, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.abd1.cc02, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab93.7903, irq 0
 4: Ext: GigabitEthernet4    : address is 0000.ab28.ec04, irq 0
 5: Ext: GigabitEthernet5    : address is 0000.abc9.e905, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration has not been modified since last system restart.

Navaz
1 Accepted Solution

Accepted Solutions

OK, add this to the ASA:

 

!

class-map icmp-class

  match default-inspection-traffic

!

policy-map icmp_policy

  class icmp-class

  inspect icmp

!

service-policy icmp_policy interface outside

!

 

cheers,

Seb.

View solution in original post

8 Replies 8

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Assuming you have configured your inside and outside interfaces with nameif then the following global NAT command should work for your PC subnet:

 

!

object range inside_pc_subnet_range

  range 172.16.20.1 172.16.20.254

!

nat (inside,outside) source dynamic inside_pc_subnet_range interface

!

 

This is an excellent write up of NAT on the ASA, worth a read!:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

cheers,

Seb.

I configured as pwe your instruction but its not working.

I attached the configuration files of the devices and also topology.

Thanks Seb

ASA# sh run

ASA# sh running-config

: Saved

:

ASA Version 8.4(2)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

 nameif inside

 security-level 100

 ip address 172.16.20.254 255.255.255.0

!

interface GigabitEthernet1

 nameif ouside

 security-level 0

 ip address 125.209.70.90 255.255.255.248

!

interface GigabitEthernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet3

 shutdown    

 no nameif   

 no security-level

 no ip address

!            

interface GigabitEthernet4

 shutdown    

 no nameif   

 no security-level

 no ip address

!            

interface GigabitEthernet5

 shutdown    

 no nameif    

 no security-level

 no ip address

!            

ftp mode passive

object network outside-inside

 range 172.16.20.1 172.16.20.254

access-list test extended permit ip any any

pager lines 24

mtu inside 1500

mtu ouside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,ouside) source dynamic outside-inside interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!            

!            

prompt hostname context

call-home reporting anonymous prompt 2

call-home    

 profile CiscoTAC-1

  no active  

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:3530380abf486888d4f99051441c9e63

: end        

ASA# 

 

OUTSIDE ROUTER

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Outside

!

!

!

!

ip subnet-zero

no ip icmp rate-limit unreachable

!

!

ip tcp synwait-time 5

no ip domain-lookup

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

 ip address 125.209.70.89 255.255.255.248

 duplex auto

 speed auto

!

ip classless

no ip http server

ip pim bidir-enable

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!

!

end

 

INTSIDE ROUTER

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Inside

!

!

!

!

ip subnet-zero

no ip icmp rate-limit unreachable

!

!

ip tcp synwait-time 5

no ip domain-lookup

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

 ip address 172.16.20.42 255.255.255.0

 duplex auto

 speed auto

!

interface Group-Async0

 physical-layer async

 no ip address

 no group-range

!

ip classless

ip route 125.209.70.88 255.255.255.248 FastEthernet0/0

no ip http server

ip pim bidir-enable

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!

!

end

Navaz

Hi there,

Hopefully and easy fix, you have a typo in the ASA - gi1:

 

!

interface GigabitEthernet1

 nameif ouside

!

 

...should be 'outside' .

 

cheers,

Seb.

Thanks for the reply

I change the interface outside but its not working

and is there any route add to ping outside router or outside interface of the ASA

the below route add in the inside router is 

ip route  125.209.70.88 255.255.255.248 fastethernet 0/0

and the routing table output is as below   

Inside(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.20.0 is directly connected, FastEthernet0/0
     125.0.0.0/29 is subnetted, 1 subnets
S       125.209.70.88 is directly connected, FastEthernet0/0

Inside(config)#

and the below route add in the outside router to pinf the inside router or inside interface of the ASA

ip route 172.16.20.0 255.255.255.0 fastethernet 0/0

and the routing table output is as below of 

Outside(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
S       172.16.20.0 is directly connected, FastEthernet0/0
     125.0.0.0/29 is subnetted, 1 subnets
C       125.209.70.88 is directly connected, FastEthernet0/0

Outside(config)#

 

Routing table of ASA

ASA(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    172.16.20.0 255.255.255.0 is directly connected, inside
C    125.209.70.88 255.255.255.248 is directly connected, outside

ASA(config)# 

Navaz

Hello again,

Remove your existing static routes and use the following routes:

 

Outside:

!
ip route 172.16.20.0 255.255.255.0 125.209.70.90
!

 

ASA:

 

 

!
route outside 0.0.0.0 0.0.0.0 125.209.70.89 1
!

 

Inside:

 

 

!
ip route 0.0.0.0 0.0.0.0 172.16.20.254
!

 

Ideally you would use OSPF / EIGRP instead of static routes in the scenario, but this should get it working.

 

cheers,

Seb.

 

its ping from inside to outside but its not pinging outside to inside.

Navaz

OK, add this to the ASA:

 

!

class-map icmp-class

  match default-inspection-traffic

!

policy-map icmp_policy

  class icmp-class

  inspect icmp

!

service-policy icmp_policy interface outside

!

 

cheers,

Seb.

Even after this i didnt telnet from inside to outside but its working from outside to inside

Navaz
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: