I have been busy for a few day to try to set up the NAT with asa5505.Please see the attachtment for the configuration of the modem and the asa.
Hopefully someone can help me out.
Thanks in advance.
Your going to have to tell us what you are trying to setup in terms of NAT and what is not working.
I looked at your config and I'm assuming a couple of things (because this is the way that I have it set up at my house).
You have a router in front of the ASA, and you want your ASA to filter traffic that comes in from the router, so you have something like this:
Host --> ASA --> Router --> DSL --> Internet
IF I'm right, then I would suggest not natting at all. Your inside interface on the router is:
192.168.2.254 and your public interface on the ASA is 192.168.2.250.
Make sure that you can ping your router from the ASA:
ping outside 192.168.2.254
If you do that, then in your NAT configuration on the ASA:
no global (outside) 1 interface
no nat (inside) 1 0 0
You should be able to ping from an inside host out. Your route is set up correctly from the ASA.
If this ISN'T what you are needing, then yeah, you should let us know like Jon requested. :-)
Thanks for your reply.
I can internet from any hosts behind the inside interface of asa. The problem is:
behind the inside interface there is a terminal server. The terminal users have to log on to it from anywhere. I can not fix it out how/where i should place the translation rule.
Hopefully you can help me out.
Thanks in advance.
static (inside,outside) interface
On your public ACL:
permit tcp any interface outside eq 3389
What this does is tell the ASA to use the outside interface IP address as the public IP. In the public ACL, you're allowing anyone to come into the public IP address on port 3389 (terminal services). If you have a block of ip addresses, you can give any one of your addresses out of that block an assignment and forget about the "interface" keyword. In the following example, 220.127.116.11 is the public ip address.
static (inside,outside) 18.104.22.168 (private ip) netmask 255.255.255.255
In public ACL:
permit tcp any host 22.214.171.124 eq 3389
Once you complete this, clear your translate table for it to take effect:
I'm not sure if this will work, but try the following:
On the router:
ip access-list ext EXTERNAL
permit tcp any any eq 3389
route-map TS permit 5
match ip address EXTERNAL
set ip next-hop 192.168.2.250
I'm not GREAT with policy maps, so I'd be interested in seeing if this works. How are you trying to get to the terminal server?
I forgot to mention that you need to apply this policy map to the outside interface on your router:
ip policy route-map TS
Do you have a topology diagram or something that you can draw up quickly? Where are you in relation to the terminal server? Are you in front of the router or behind the ASA?
host -> router -> asa -> terminal server
router -> host -> asa -> terminal server
router -> asa -> host -> ts
Still not working.
The terminal server is behind the asa. It looks like:
dsl->router(dialer interface, 192.168.2.254)->asa(outside[192.168.2.250],inside[192.168.1.1]->host (ts)
Where are you at in the picture? On the DSL side going into the network, or ASA side going out?
Understood. You won't be able to test this from behind the ASA. In other words, if your connected to a switch or directly to the ASA, you can't go out to the internet and back into your public interface to test it; it won't work. You'll need to do this from another computer that's completely outside of your network.
That said, can you do a sh ip nat trans on the router, and a sh xlate on the ASA and post the results back. Again, if you're trying to test it from within your network and coming back in, it won't work.
Thanks for all your help and time.
I got the problem resolved. I did two things wrong. The first one was the access rule in asa, the second was the translation rule in the router.
Now the asa is working. The next step is try to get the vpn working.
That is right, Jon.
NAT is working. Anyone can get access to the internet behind the inside interface of asa.
The problem is the translation rule. Behind the inside interface ther is a terminal server. I have no idee how/where i should configure the translation rule.
interface cisco 837
ip route 0.0.0.0 0.0.0.0 dialer0
Nat: interface dialer0
ip route 0.0.0.0 0.0.0.0 192.168.2.250