outside NAT question
I created an external NAT for my pc to allow internal users to access my pc in my domain name. But because of the domain name is not configured yet, I can only test the outside NAT by referring to my external IP address. For example, my pc has ip internal 10.10.10.11, external ip 82.1.1.11. I have a static nat 10.10.10.11 value 82.1.1.11, also affect a foreign 82.1.1.11 nat 10.10.10.11. My pc has established access list rules to allow external access to my port 80 and 8080. However, when I type http://82.1.1.11/sitename/ to access one of my site, I can't. If I change the url to refer to my internal ip address, the site is displayed correctly.
Is there something I need to put in place to make it work?
Thank you
Pls see below:
"To access an address of dnat_ip alias with the static control instructions and access-list, specify the address of dnat_ip in the statement of access-list command as the address which traffic is allowed to. The following example illustrates this point.
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside, outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp - data
Access-group acl_out in interface outside.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_62/cmdref/AB.htm
Tags: Cisco Security
Similar Questions
-
Using "Alias" vs "Outside NAT"?
Greetings,
Recently, I started with a company that has a PIX 515. I upgraded the IOS from 1.0000 to 6.3 (5) and installed the PDM 3.04.
When I try to run the PIX via PDM, it prompts with 'the PDM does not support the 'Alias' command in your configuration... You should migrate to the newer 'Outside NAT' feature (or Bi-Directional NAT).
Here are my statements about "Alias." Can someone please provide a preview/examples on how to migrate these declarations?
(inside) alias x.x.x.x y.y.y.y 255.255.255.255
(inside) alias x.x.x.x y.y.y.y 255.255.255.255
(inside) alias x.x.x.x y.y.y.y 255.255.255.255
alias (dmz) x.x.x.x y.y.y.y 255.255.255.255
static (inside, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask www www tcp 0 0
static (inside, outside) tcp x.x.x.x citrix ica y.y.y.y citrix ica netmask 255.255.255.255 0 0
static (dmz, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask https-https tcp 0 0
static (dmz, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask ftp ftp tcp 0 0
static (inside, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask smtp smtp tcp 0 0
static (inside, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask smtp smtp tcp 0 0
static (inside, outside) x.x.x.x y.y.y.y 255.255.255.255 netmask www www tcp 0 0
static (inside, outside) tcp x.x.x.x citrix ica y.y.y.y citrix ica netmask 255.255.255.255 0 0
static (inside, outside) tcp x.x.x.x y.y.y.y 81 netmask 255.255.255.255 0 0
static (inside, dmz) x.x.x.x y.y.y.y netmask 255.255.255.0 0 0
public static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0
public static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0
Hello.. Command alias is used for the translation of IP addresses that overlap... for example if you have a remote using 192.168.0.1 and you have also your internal network using the same range, so you can get 192.168.0.1 appear to your LAN as a different IP... in this case 10.10.10.10
alias (inside) 10.10.10.10 192.168.0.1 255.255.255.255
You can also use aliases to redirect traffic to a different address. This translates the destination IP address.
In your config file looks like
(inside) alias x.x.x.x y.y.y.y 255.255.255.255
alias (dmz) x.x.x.x y.y.y.y 255.255.255.255
they have already been configured using
static (inside, dmz) x.x.x.x y.y.y.y netmask 255.255.255.0 0 0
public static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0
A kind... I suggest to remove... then type in clear xlate (this interrupts your current connections for a few seconds)... and test to make sure that everything is OK and finally save the changes wr mem.
I hope this helps... Please, write it down if she does! ..
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
Multiple outside NAT at the same internal IP address
In my view, the answer is no, but wanted to check.
Can I have multiple NATs on the same interface to a single internal IP?
For example.
static (inside, outside) a.a.a.2 10.20.30.248 netmask 255.255.255.255
static (inside, outside) a.a.a.3 10.20.30.248 netmask 255.255.255.255
Where the subnet and the IP block is also on for two external NATs.
Hello
If you try to do the following:
definition of the IP 10.20.30.248 to a.a.a.2
and
definition of the IP 10.20.30.248 to a.a.a.3.
Learn to translate the internal ip address to two external ip addresses. If Yes, then this is not possible.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered, if you feel that your query is resolved. Note the useful messages.
-
Hi Experts,
Please help me on this. I enclose my diagram network with this post.
My firewall is cisco ASA 5510 running with version 8.4 of software. I set up static NAT for all three servers (in the diagram, server 1,2 and 3). The question is, the static NAT works only with the first server. No trades do go to other two server (2 and 3). All servers are in the DMZ.When I remove the static NAT for Server 2 and 3, all traffic going to the server with the IP WAN address of the firewall, which means that the dynamic NAT works. I am also attaching the configuration file.
(NOTE: NAT works for the 72.16.34.1 Server)
Kind regards
MartinHI San,
Would you be able to try this workaround: -.
https://supportforums.Cisco.com/blog/149276/asapix-proxy-ARP-vs-gratuito...
I think the problem is with the IP addresses provided by the ISP.
Thank you and best regards,
Maryse Amrodia
-
Hi all!
I find no error on mine. Why no ping from PC1 to R2?
When I ping from R2 to PC1, reached ping PC1 and on the way back he losts inside the R1.
PC1 (s:192.168.02 d: 77.77.77.78) package it receives by R1 Fa0/1 (out) according to ACB passes to the Loopback0 (en)
and disappears (debug), even if the package should be translated (s:192.168.0.2-> s:77.77.77.77) and forwarded to 77.77.77.78 through Fa0/1 (out).Where I'm wrong?
Regime is in the attachment.Best regards, Alexey.
Good morning, Alex.
I did the same topology in lab environment.
Please add the following sentence to the route map to make your task of work:
access-list 101 permit ip 192.168.0.2 host 77.77.77.78
access-list 102 permit ip host 77.77.77.78 192.168.0.2
Nat-loop allowed 10 route map
corresponds to the IP 101set ip next-hop 4.4.4.2
route Nat allowed 20 map
address for correspondence ip 102set ip next-hop 4.4.4.2
Please, see my previous response. I tried to write some explonations.
-
Outside NAT / Port Translation assistance needed
Image, says it all really...
I can't configure two external public IP (1.1.1.2 and 1.1.1.3) addresses that point to the same host but different ports (443 for the first) and 8443 for the latter.
Assuming you have your web servers in the DMZ:
(a) static (DMZ, outside) 1.1.1.2 tcp https 2.2.2.2 https netmask 255.255.255.255
(b) permitted HTTPS-OUT extended access list tcp any host 1.1.1.2 eq https
(c) group-HTTPS-OUT access in interface outside
For the second entry, you may need to do this.
(a) static (DMZ, outside) tcp 1.1.1.3 https 2.2.2.2 8443 netmask 255.255.255.255
(b) permitted HTTPS-OUT extended access list tcp any host 1.1.1.3 eq https
(c) group-HTTPS-OUT access in interface outside
-
I like more than 150 of VPN on my ASA 5520. A specific customer, with that I'll put up a VPN has an overlap of two of the intellectual property, it must reach from its internal network. It is NATing 10.251.11.177 internal network traffic to my ASA presents itself as 10.251.11.177 of the 10.251.11.176/29 network. Now the two IP of its internal network, it must reach are 10.1.254.200 and 10.1.254.201.
Thus, following the documentation on the site Web of Cisco I'm doing Policy Based Routing on the ASA 5520 (my thesis) so that its traffic will 1.1.1.1 and 1.1.1.2 instead of 10.1.254.200 and 10.1.254.201. Once it reaches my ASA 5520 it gets back to these IP tranlated.
I am using the following configuration, but when I try to add static entries, it won't let me add them. I even tried "static 1.1.1.1 (exterior, Interior) POLICYNAT of the access list" with the ACL in reverse but no use.
object-group, network VPN-map
network-object host 1.1.1.1
network-object host 1.1.1.2
!
POLICYNAT list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248
POLICYNAT list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248
!
static (inside, outside) 1.1.1.1 access-list POLICYNAT
public static (inside, outside) 1.1.1.2 - POLICYNAT access list
Try breaking the IPs in two ACL
POLICYNAT1 list extended access allowed host ip 10.1.254.200 10.251.11.176 255.255.255.248
POLICYNAT2 list extended access allowed host ip 10.1.254.201 10.251.11.176 255.255.255.248
!
static (inside, outside) 1.1.1.1 access-list POLICYNAT1
public static (inside, outside) 1.1.1.2 - POLICYNAT2 access list
HTH
GE
-
I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.
Following configuration:
: Saved
:
ASA Version 8.2 (5)
!
asa5505 hostname
domain BLA
activate the password * encrypted
passwd * encrypted
no names!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 150
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.7.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP EXTERNAL IP 255.255.255.128
!
interface Vlan150
nameif WLAN_GUESTS
security-level 50
IP 10.7.150.1 255.255.255.0
!
boot system Disk0: / asa825 - k8.bin
config to boot Disk0: / running-config
passive FTP mode
clock timezone STD - 7
DNS server-group DefaultDNS
domain BLA
permit same-security-traffic intra-interface
object-group service tcp Webaccess
port-object eq www
EQ object of the https port
object-group network McAfee
network-object 208.65.144.0 255.255.248.0
network-object 208.81.64.0 255.255.248.0
access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
outside_access_in list extended access permit ip host 159.87.64.30 all
standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
IPS_TRAFFIC of access allowed any ip an extended list
access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.7.30.37
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
MTU 1500 WLAN_GUESTS
local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
Access-group inside_access_in in interface inside the control plan
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server ADWM-FPS-02 nt Protocol
AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
Timeout 5
auth-domain NT ADWM-FPS-02 controller
AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
auth-DC NT ADWM-DC02
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 206.169.55.66 255.255.255.255 outside
http 206.169.50.171 255.255.255.255 outside
http 10.7.30.0 255.255.255.0 inside
http 206.169.51.32 255.255.255.240 outside
http 159.87.35.84 255.255.255.255 outside
SNMP-server host within the 10.7.30.37 community * version 2 c
location of the SNMP server *.
contact SNMP Server
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 206.169.55.66
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_cryptomap
peer set card crypto outside_map 2 159.87.64.30
card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint *.
Terminal registration
full domain name *.
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint A1
Terminal registration
fqdn ***************
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint INTERMEDIARY
Terminal registration
no client-type
Configure CRL
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Configure CRL
ca encryption certificate chain *.
certificate ca 0301
BUNCH OF STUFF
quit smoking
A1 crypto ca certificate chain
OTHER LOTS of certificate
quit smoking
encryption ca INTERMEDIATE certificate chain
YET ANOTHER certificate
quit smoking
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca LAST BOUQUET
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.7.30.0 255.255.255.0 inside
Telnet timeout 30
SSH 206.169.55.66 255.255.255.255 outsideSSH timeout 5
Console timeout 0
management-access inside
dhcpd 4.2.2.2 dns 8.8.8.8
!
dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
enable WLAN_GUESTS dhcpd
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5 of sha1
SSL-trust A1 out point
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal VPNUsers group strategy
Group Policy VPNUsers attributes
value of server DNS 10.7.30.20
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_users_splitTunnelAcl
dwm2000.WM.State.AZ.us value by default-field
Split-dns value dwm2000.wm.state.az.us
username HCadmin password * encrypted privilege 15
attributes global-tunnel-group DefaultWEBVPNGroup
address VPN_POOL pool
authentication-server-group ADWM-FPS-02
strategy - by default-VPNUsers group
tunnel-group 206.169.55.66 type ipsec-l2l
IPSec-attributes tunnel-group 206.169.55.66
pre-shared key *.
tunnel-group 159.87.64.30 type ipsec-l2l
IPSec-attributes tunnel-group 159.87.64.30
pre-shared key *.
!
class-map IPS_TRAFFIC
corresponds to the IPS_TRAFFIC access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
Review the ip options
class IPS_TRAFFIC
IPS inline help
!
global service-policy global_policy
field of context fast hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e70de424cf976e0a62b5668dc2284587
: end
ASDM image disk0: / asdm-645 - 206.bin
ASDM location 159.87.70.66 255.255.255.255 inside
ASDM location 208.65.144.0 255.255.248.0 inside
ASDM location 208.81.64.0 255.255.248.0 inside
ASDM location 172.16.10.0 255.255.255.0 inside
ASDM location 159.87.64.30 255.255.255.255 inside
don't allow no asdm historyAnyone have any ideas?
Hello
Please, add this line in your configuration and let me know if it works:
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0
I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.
Let me know if it helps.
Thank you
Vishnu
-
Hello
It's been a while since I've done work with a PIX and as such I am a little rusty with them. I wonder if someone who is a little more familiar with them my being able to answer my question.
We have a 24 block of public IP addresses that are currently used for various Linux servers + AS5300. I prefer to keep it as a solid with subnets block it.
We have a number of Windows 2000 servers that are running different PSTN switching + applications SQL that will be installed on the same network. I don't want to put these on the public internet any security guards are taken on local machines. Fortunately, we have a PIX 515 going spare.
Is it possible to individual/block of IP addresses to the external interface inside card interface of the pix as opposed to a block of addresses for routing on the interface inside of our net block or perform a static mapping from the public to the private. I'm after the result for servers behind the PIX have a public IP address that is flowing through the PIX. So indeed the PIX would act as a bridge firewall. This type of installation is possible?
Kind regards
Alan
Alan,
Yes. I would * hopefully * is to group machines that keep their outside global addresses together so that I could create an access list to cover.
i.e.
access-list ip 10.10.10.0 sheep allow 255.255.255.224
(Outside) NAT 0 access-list sheep
This allows the 32 first-(2) IP addresses through the firewall with no address translation.
You can also restrict the types of traffic as well. My suggestion is to keep the traffic flow and filtering of the traffic of the separate lists. So if I have a Web server in the subnet mentioned above, I would write the following:
list of allowed incoming access tcp 10.10.10.3 255.255.255.255 eq www
Hope this helps,
Doug.
-
Ssh/telnet/web ASA5505 question
I can't access this ASA everywhere except the console.
I'm no expert, ASA, but I compared it to others I have configured asa, and I can't find the error of my ways.
It is expected to be easy, I just need a different set of eyes looking at it now. I hope I don't have too much censor, but I imagine that if I am able to SSH locally, will fix all issues of access I have.
:
ASA Version 7.2 (4)
!
host name X
domain X.local
activate the encrypted password of XXXXXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXX
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.27.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!Banner motd to USE OFFICIAL ONLY. Unauthorized use prohibited
Banner motd people who use this computer system is subject to having all
Banner motd of their activities on this system monitored and recorded without
new notice of Banner motd. Audit of users may include surveillance of the strike.boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name X.X.X.12
Name-Server 4.2.2.2
domain pain.local
permit same-security-traffic intra-interface
object-group service XX tcp - udp
60000 64999 object-port Beach
object-group network MySpace
object-network 67.134.143.0 255.255.255.0
object-network 204.16.32.0 255.255.255.0
network-object 216.178.32.0 255.255.224.0
object-group network Facebook
object-network 69.63.176.0 255.255.255.0
object-network 204.15.20.0 255.255.255.0
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
the DM_INLINE_NETWORK_1 object-group network
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
the LocalLAN object-group network
X subnet Local 192.168.27.x description
object-network 192.168.27.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 10.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
object-network 172.x.x.0 255.255.255.0
the DM_INLINE_NETWORK_3 object-group network
network-host 64.x.x.x object
network-host 71.x.x.x object
network-host 74.x.x.x object
network-host 99.x.x.x object
network-host 173.x.x.x object
object-network 192.168.27.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
192.168.27.0 IP Access-list extended sheep 255.255.255.0 allow object-group DM_INLINE_NETWORK_1
outgoing extended access-list deny ip any object-group inactive MySpace
outgoing extended access-list deny ip any object-group inactive Facebook
outgoing to the icmp a whole allowed extended access list
coming out to the one permitted all ip extended access list
extended access-list extended permitted ip object-LocalLAN group DM_INLINE_NETWORK_1 object
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_3 all
outside_cryptomap list extended access permitted ip object-group LocalLAN-group of objects DM_INLINE_NETWORK_2
pager lines 24
Enable logging
timestamp of the record
registration of emergency critical list level
exploitation forest-size of the buffer 1048576
emergency logging console
monitor debug logging
recording of debug trap
notifications of logging asdm
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest-address recipient [email protected] / * / critical level
logging feature 23
forest-hostdown operating permits
registration of emergency of class auth trap
record labels of class config trap
record labels of class ospf trap
logging of alerts for the vpn trap class
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.X.X 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
x.x.x.x 255.255.255.255 out http
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.27.0 255.255.255.0 inside
redirect http outside 80
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection tcpmss 1360
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec df - bit clear-df outdoors
card crypto outside_map 2 match address outside_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set x.x.x.x
card crypto outside_map 2 game of transformation-ESP-AES-128-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 60
Console timeout 0
management-access inside
dhcpd 10.x.x.x 4.2.2.2 dns
dhcpd field pain.local
dhcpd outside auto_config
dhcpd option 156 ascii ftpservers = 10.x.x.x
dhcpd option 42 ip 208.66.175.36
!
dhcpd address 192.168.27.2 - 192.168.27.33 inside
dhcpd allow inside
!NTP-1 md5 authentication key *.
authenticate the NTP
NTP server 10.x.x.x source inside
username XXXXXXXXX XXXXXXXXXXXXXX encrypted privilege 15 password
tunnel-group 64.X.X.X type ipsec-l2l
IPSec-attributes tunnel-group 64.X.X.X
pre-shared key X
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: endThe party concerned to control where you are allowed to SSH in the ASA are these lines:
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
But you have generated public/private keys?
ASA (config) # crypto key generate rsa key general module 2048
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Anyone know if the worm 1.1 (3) fwsm supports bidirevtional nat or outside nat in the pix the fact?
Thanks for any help
Best regards
Fabio Bellini
Fabio,
Nope, not bidirectional or outside NAT is supported in the FWSM 1.1 code (3). We add this to the 2.1 code which should be out in the first of the year. 1.1 in the FWSM mirrors PIX 6.0 code (with the exception of OSPF). The FWSM 2.1 code should reflect the code PIX 6.3. So, whatever it be added after 6.0 in the PIX won't be supported until FWSM 2.1. I hope this helps.
Scott
-
I have a site (my ASA) vpn to the site (provider) with a nat on the external interface device and work well. Rear (my ASA) VPN I have other site vpn (service A) for the site (my ASA) and work as well.
My problem is the traffic of my branch A provider is clearly have no nat.
My ASA
object-group network attached
object-network 192.168.1.0 255.255.255.0
object-group network provider
network-object 172.22.0.0 255.255.0.0
the allmyBranch object-group network
object-network 192.168.0.0 255.255.0.0extended inside permit access list ip object-group reteInside-group of objects plugged
access list inside extended permit ip object-group allmyBranch-provider objects
allowed to access extensive ip list nat0_acl object-group reteInside-group of objects plugged
list of access VPN-Hots extended permitted ip object-group reteInside-group of objects plugged
list of access VPN-provider allowed extended ip outside of the provider object-group interface
list of access VPN-provider allowed extended ip object-group allmyBranch-provider objects
permit ToSupplier to access extended ip object-group allmyBranch-group of objects provider listGlobal 1 interface (outside)
NAT (inside) 0-list of access nat0_acl
NAT (inside) 1 access-list ToSupplierdo you have any idea how solve it? is this possible?
Thank you
I'm glad to hear that.
If the problem is resolved and that you find it useful, if Please assess the threat and mark it as answered :-)
Thank you.
Federico.
-
Remote access ASA, VPN and NAT
Hello
I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.
I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.
Here are all the relevant config:
list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
IP verify reverse path to the outside interface
IP audit info alarm drop action
IP audit attack alarm drop action
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
Global interface (2 inside)
Global 1 interface (outside)
NAT (inside) 0-list of access vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interfaceI can post more of the configuration if necessary.
Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:
1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53
So, how I do right NAT VPN traffic so it can access the Internet?
A few things that needs to be changed:
(1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.
This ACL:
list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
Should be changed to:
extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow
(2) you don't need statement "overall (inside) 2. Here's what to be configured:
no nat (outside) 2 192.168.47.0 255.255.255.0 outside
no global interface (2 inside)
NAT (outside) 1 192.168.47.0 255.255.255.0
(3) and finally, you must activate the following allow traffic back on the external interface:
permit same-security-traffic intra-interface
And don't forget to clear xlate after the changes described above and connect to your VPN.
Hope that helps.
-
ASA 5505 Anyconnect traversal nat error
Good afternoon gents,
I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop. In the newspapers, I see the following error message:
Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.
I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.
interface Vlan1
nameif inside
security-level 100
IP 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 67.200.133.107 255.255.255.248
!access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authenticationTry the nat statement 0 without the keyword on the outside.
NAT (inside) 0-list of access inside_nat0_outbound
In addition,
sh run sysopt and stick out.
Manish
Maybe you are looking for
-
From the R Console, I do a request for assistance and the following IP address is attempted: 127.0.0.1:10263/doc/HTML/index.html I am unable to connect to this site to document GUTS. Suggestions? Thank you Carl
-
Hi all I have problems trying to work with the Ridge detector tool... I have a file which contains 17 columns, that the first's time and the rest are data... I split and now Im trying to find the vertices of the first wave... I'm looking around and I
-
Microsoft Money sunset has failed and damaged my files
I live in Australia and use Microsoft money since 1995. Last version I was using was 2005. I thought it was probably time I looked at the installation of the version of sleep in the Sun. He warned that it could not operate outside the Australia but
-
After intermittent problems with IE7 I reloaded Vista Ultimate. I would now like to revert to the previous version, which was held in the old windows. How do I do that?
-
This pc is compatible for 4g usb dongle
I need to buy a dongle for my HP Pavilion my region is ee and mobile orange t all of the tips!