I'm tring to configure a 506e for a relatively simple scenario, and just can't seem to get it. I have an existing IP block , 184.108.40.206, 255.255.255.240. I would like to give the 506e the last 4 IPs, permit egress, map one or two of the IPs to static internal IP address, and let only a few TCP ports in.
access-list acl_outsidein permit tcp any host 192.168.1.11 eq 80
access-group acl_outsidein in interface outside
My reading of all the manuals is that this will map the (outside) ip 67.x.167.44 to the (inside) ip 192.168.1.11, and that it will permit (only) http access from the outside to 192.168.1.11.
It doesn't do this, i.e. from my little test subnet ( 220.127.116.11, 255.255.255.0) to which the 506e is connected, when I try to access 18.104.22.168 from a web browser, I get no response. ( From within my 192.168.1.1, 255.255.255.0 subnet, when I go to 192.168.1.11 I get the site )
Sorry for the typo in the post, but your suggestion was what I really did. The following is the current configuration, which differs somewhat from my original post. Basically, I just have the one IP configured for the PIX, and I let all IP traffic in
I thought I started a new thread addressing this question but it seems to have been lost.
I think that's my real problem, that I'm not configuring the outside interface correctly. I had used 255.255.255.255 to restrict the firewall to listening to only that 1 IP, which is not what I really want. My real-life situation is that I have an existing 16 IP subnet to which I want to add the 506, with a new server sitting behind the firewall, and leave the exsitng server exposed, listening to some of the IPs in my existing block. I want to eventually migrate the exposed server to be behind the firewall. An additional factor is that all of this will be done in a CoLo situation, so I'm trying to create a test subnet here to configure everything before I ship it out.
Say my existing ip block is 192.168.0.241, 255.255.255.240. When I configure my 506, how do I assign the outside IP address if I just want to use, e.g., 192.168.0.250 - 192.168.0.255 as the IPs the firewall will listen on, while 192.168.0.241 - 192.168.0.249 are used by an existing server which will not be behind the firewall
If I assign the entire 16 IP subnet to the outside, but only have static assignments for the 5 IPs I want to use on the firewall, which device listens on the first 10 IPs, my existing server or the 506? Do I need a complete, and new, subnet for the firewall?
I thought I had a correct ( test ) configuration with some modifications ( I was using an entire class C subnet ( 192.168.0.1, 255.255.255.0 as my test scenario, and was assigning the firewall the subnet of 192.168.0,241, 255.255.255.240) this worked well, but some local computers, but not all, couldn't get out).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...