Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can not get nat to work with asa5505

Hello everyone,

I have been busy for a few day to try to set up the NAT with asa5505.Please see the attachtment for the configuration of the modem and the asa.

Hopefully someone can help me out.

Thanks in advance.

Peter

15 REPLIES
Hall of Fame Super Blue

Re: can not get nat to work with asa5505

Peter

Your going to have to tell us what you are trying to setup in terms of NAT and what is not working.

Jon

Re: can not get nat to work with asa5505

I looked at your config and I'm assuming a couple of things (because this is the way that I have it set up at my house).

You have a router in front of the ASA, and you want your ASA to filter traffic that comes in from the router, so you have something like this:

Host --> ASA --> Router --> DSL --> Internet

IF I'm right, then I would suggest not natting at all. Your inside interface on the router is:

192.168.2.254 and your public interface on the ASA is 192.168.2.250.

Make sure that you can ping your router from the ASA:

ping outside 192.168.2.254

If you do that, then in your NAT configuration on the ASA:

no global (outside) 1 interface

no nat (inside) 1 0 0

You should be able to ping from an inside host out. Your route is set up correctly from the ASA.

If this ISN'T what you are needing, then yeah, you should let us know like Jon requested. :-)

Thanks,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

Hello John,

Thanks for your reply.

I can internet from any hosts behind the inside interface of asa. The problem is:

behind the inside interface there is a terminal server. The terminal users have to log on to it from anywhere. I can not fix it out how/where i should place the translation rule.

Hopefully you can help me out.

Thanks in advance.

Peter

Re: can not get nat to work with asa5505

Try this:

static (inside,outside) interface netmask 255.255.255.255

On your public ACL:

permit tcp any interface outside eq 3389

What this does is tell the ASA to use the outside interface IP address as the public IP. In the public ACL, you're allowing anyone to come into the public IP address on port 3389 (terminal services). If you have a block of ip addresses, you can give any one of your addresses out of that block an assignment and forget about the "interface" keyword. In the following example, 9.9.9.9 is the public ip address.

static (inside,outside) 9.9.9.9 (private ip) netmask 255.255.255.255

In public ACL:

permit tcp any host 9.9.9.9 eq 3389

Once you complete this, clear your translate table for it to take effect:

clear xlate

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

Hello John,

It's not working. I post the configuration again. Can you take a look what i did wrong?

Thanks again.

Peter

Re: can not get nat to work with asa5505

I'm not sure if this will work, but try the following:

On the router:

ip access-list ext EXTERNAL

permit tcp any any eq 3389

route-map TS permit 5

match ip address EXTERNAL

set ip next-hop 192.168.2.250

I'm not GREAT with policy maps, so I'd be interested in seeing if this works. How are you trying to get to the terminal server?

--John

HTH, John *** Please rate all useful posts ***

Re: can not get nat to work with asa5505

I forgot to mention that you need to apply this policy map to the outside interface on your router:

int dialer0

ip policy route-map TS

exit

--John

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

no, it's still not working.

I use RDP to connect the terminal server.

Peter

Re: can not get nat to work with asa5505

Do you have a topology diagram or something that you can draw up quickly? Where are you in relation to the terminal server? Are you in front of the router or behind the ASA?

host -> router -> asa -> terminal server

router -> host -> asa -> terminal server

router -> asa -> host -> ts

--John

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

Still not working.

The terminal server is behind the asa. It looks like:

dsl->router(dialer interface, 192.168.2.254)->asa(outside[192.168.2.250],inside[192.168.1.1]->host (ts)

Peter

Re: can not get nat to work with asa5505

Where are you at in the picture? On the DSL side going into the network, or ASA side going out?

--John

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

The problem is on the DSL side going into the network.

By the way, inside out everything is ok.

peter

Re: can not get nat to work with asa5505

Understood. You won't be able to test this from behind the ASA. In other words, if your connected to a switch or directly to the ASA, you can't go out to the internet and back into your public interface to test it; it won't work. You'll need to do this from another computer that's completely outside of your network.

That said, can you do a sh ip nat trans on the router, and a sh xlate on the ASA and post the results back. Again, if you're trying to test it from within your network and coming back in, it won't work.

HTH, John *** Please rate all useful posts ***
New Member

Re: can not get nat to work with asa5505

Hello John,

Thanks for all your help and time.

I got the problem resolved. I did two things wrong. The first one was the access rule in asa, the second was the translation rule in the router.

Now the asa is working. The next step is try to get the vpn working.

Thanks again.

Peter

New Member

Re: can not get nat to work with asa5505

That is right, Jon.

NAT is working. Anyone can get access to the internet behind the inside interface of asa.

The problem is the translation rule. Behind the inside interface ther is a terminal server. I have no idee how/where i should configure the translation rule.

interface cisco 837

outside: 1.2.3.4

inside: 192.168.2.254

ip route 0.0.0.0 0.0.0.0 dialer0

Nat: interface dialer0

Interface asa5505

outside: 192.168.2.250

inside: 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.2.250

no nat

Thanks

158
Views
0
Helpful
15
Replies