Cisco Firewall :: ASA 5510 Address Translation Through Internal Network

Jan 19, 2013

Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).

Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.

View 11 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 - NAT And Internal Network Routing

Apr 16, 2013

I am having a problem getting my ASA to work properly.  I attached a diagram for reference and most of the config is below. When I finally got it to route properly between 2 sub nets on the internal network, the NO NAT statement broke routing for the VPN Clients who rely on a NAT statement for the same sub net that is listed in NO NAT access list.  I can get one of the 2 to work by replacing NAT statements but can't figure out a combination to allow routing for both the internal sub nets and the VPN clients to work. 

It's been about 5 days of tweaking this thing just to get the internal routing to work correctly and when I finally did I broke VPN client access.  To note, the VPN clients can still log in and get a session going, they just can't get anywhere once they are in.  I also think there's a lot of stuff in this config that is not needed like a lot of the object groups, etc. but I am being very careful about removing anything.  I took over support of this ASA after someone else put it in place and over this past weekend we moved it to a new building and new ISP and that is when I had to get it to route between sub nets.  The main point of this move was to remove building 1's reliance on building 2 for Internet and outside email access in the event that building 2 is not available (it is close to water and this has happened more than once over the past year). 

So that is why I can't go with the smartest option of just keeping the routes on the router in the other building.  I also know the 1600s are ancient but they're all we have for now.  I can provide those router configs also but they are VERY basic, all static routing. The IP for the Cisco router on the same sub net as the ASA is 192.168.42.254.

This is the statement that allows the routing to work between the 2 internal sub nets but breaks VPN clients: nat (INSIDE) 0 access-list NO NAT

This is the statement that allows the VPN clients to work but breaks the internal routing: nat (INSIDE) 0 access-list INSIDE_nat0_outbound 

The rest of the config is below the diagram.
ASA Version 8.2(2)
host name Cisco asa
domain-name default.domain.invalid
enable password - encrypted
password - encrypted
names
dns-guard
[code]...

View 7 Replies View Related

Cisco Firewall :: ASA 5510 Internal Network Cannot Connect To Internet

May 12, 2012

I have an ASA 5510 configured 3 interface Internet_AAPT, Internal_Network and Server_Network. The server network works fine as is able to connect to the internet and services like port 80 work from the internet in. But from the Internal_Network can only get to the server network but not internet (6May 13 201214:17:4030201310.153.111.21253663199.47.216.14880Built outbound TCP connection 42508 for Internet_AAPT:199.47.216.148/80 (199.47.216.148/80) to Server_Network:10.153.111.212/53663 (10.153.111.212/53663). The weird thing in logs i see a connection being made but for some reason its referring to the Server_Network interface? below is my current config...
 
ASA Version 8.2(5)
!
hostname ASA01
domain-name names
name 10.153.11.184 QNAP
name 10.153.11.192 exc2010
name 10.153.11.133 zeacom

[code]....

View 10 Replies View Related

Cisco Firewall :: ASA 5510 - Guest Network Access To Internal Webserver

Dec 18, 2012

I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver.  (DMZ discussion aside)
 
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
 
Internally clients resolve our website to 192.168.40.40 and that part works as it should.  Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
 
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1.  However it seems traffic goes out and back in our outside interface and this connection never occurs.
 
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website.  Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ?  Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / Nat With Port Translation With 8.4(3)?

Mar 10, 2012

Trying to translate telnet for switches to the outside ip address at some random ports. 
 
172.16.200.2:23 ->  10.199.199.2:2300
172.16.200.3:23 ->  10.199.199.2:2301
172.16.200.4:23 ->  10.199.199.2:2302
etc....  
 
ASA 5510 running 8.4(3):
 
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.199.199.2 255.255.255.248
 interface Ethernet0/1.200
vlan 200
nameif inside
security-level 100
ip address 172.16.200.254 255.255.255.0

[code]....
 
I can not access the switch at 10.199.199.2:2301 .  What am I doing wrong?  Or should cleaning toilets be something I really should look at!  Now if i run this NAT statment:
 
object network Switch_TN
nat (inside,outside) static 10.199.199.3 service tcp telnet 2301
 
I am able to access the switch at 10.199.199.3:2301

View 7 Replies View Related

Cisco Firewall :: ASA 8.4 With NAT Source Address Translation?

Dec 5, 2012

I have a server in a DMZ of my 8.4 ASA with nat:
 
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
 
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Dynamic NAT Inbound Translation

Jun 1, 2011

I have ASA 5510 and public FTP server from my local network to external IP address, with static nat translation. All works, but I need request to ftp come from internal ASA interface (need use gateway different ASA). How configured ASA for forwarding request?

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - NAT Regular Translation Creation

Dec 4, 2012

I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
 
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49  10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)          
 
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.

View 1 Replies View Related

Cisco Firewall :: 5510 No Translation Group Found Error

May 31, 2011

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
 
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a  No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.

View 3 Replies View Related

Cisco Firewall :: 5510 - No Translation Group Found For UDP Src Inside

Jan 10, 2013

I have seen many of these errors lately.  We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
 
[code]....

View 6 Replies View Related

How Network Address Translation Works

Apr 18, 2011

How Stuff Works "How Network Address Translation Works"."This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers." so let's say 6-7 pc's can have access to the internet using the same IP. doesn't this causes any problems? what if one of those pc's was used fore doing something illegal? how can they spot it later on? or what if 2 or more pc's access (from that subnetwork) access the same website with the same IP?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 Address Translation And Port Forwarding

Oct 31, 2011

I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ.  In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ.  My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.

View 10 Replies View Related

Cisco Firewall :: ASA 8.3(2) / PAT Interface Address With Static NAT Port Translation?

Aug 22, 2011

I have an 8.3(2) ASA with a single outside IP.  Dynamic PAT translates inside addresses to the outside interface address.  I would like to use static NAT with port translation to access an inside syslog server.  I got an error when I tried using the outside interface address.  Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network.  10.10.1.10 is the outside interface IP.)
 
object network inside-net
  subnet 192.168.1.0 255.255.255.0
  nat (inside, outside) dynamic interface
 object network SYSLOG_SERVER
  host 192.168.1.50
  nat (inside,outside) static 10.10.1.10 service tcp ssh ssh

View 6 Replies View Related

Cisco :: Network Address Translation On 6500?

Nov 22, 2012

We've got an application that is running on our LAN that is using IP addressing to connect to the server (they refused to use DNS).The server is now being moved to a VM which will be on a different subnet. The supplier is now concerned that there will be a big down time due to him having to reconfigure each device (about 100) with the new server IP. If the server was external I know I'd be able to do NAT on the FW to make this work but can it be done internally on my 6500s? I want to have the devices pointing at their hardcoded IP address off 1.1.1.10 and NAT the destination to the VMware servers IP 2.2.2.10? Is this possible using cisco NAT?

View 13 Replies View Related

Home Network :: Static Port Address Translation?

Mar 24, 2011

In my router I can set rule that all traffic incoming to router's extAddr:8888, is forwarded to my intAddr:8888. But I also need reverse rule that packets originating from intAddr:8888 are translated to extAddr:8888. Can I do that? What technique can I search on google to find more information, because it is not port forwarding. I would calll it reverse port forwarding or static port address translation, but I do not find anything useful in internet searching these keywords.

View 3 Replies View Related

Cisco VPN :: 2911 / Port Address Translation For Remote Network?

Aug 4, 2012

I have site to site vpn between cisco asa and cisco 2911 router.asa is static ip and cisco 2911 side is dynamic ip. my site to site vpn is working fine. I am just trying to make PAT over the vpn means i want forward one ip in my public pool to one of my local ip in the cisco 2911 side.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 To Have Internal Address That Wish To Forward From External Address

Jul 8, 2012

I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 / PAT Different WAN IP Tp Internal Host?

Dec 14, 2012

We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.

So i just changed this:

object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
 to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
 
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp

View 5 Replies View Related

Cisco Firewall :: ASA 5510 Communication Between Two Internal Interfaces

Jun 11, 2013

I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
 
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
 
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - How PAT With One Public IP To Two Internal Servers

Sep 18, 2012

I've tried a bunch things but it didn't work, I'm about to gave up! :-/
 
I have the following scenario:
 
ASA5510 - v8.3(2)
 
Interfaces
ETH0/0 = outside  = 189.xxx.xxx.129
ETH0/1 = inside = 10.xx.1.15

[Code]....

What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?

View 5 Replies View Related

Cisco Firewall :: Routing To Internal Subnets From ASA 5510

May 17, 2012

Having trouble with a couple items.  First of all, should I be able to ping the inside interface of the ASA from all internal subnets assuming all of these subnets/vlans are directly connected to the same L3 switch?  I can ping the ASA inside interface from our L3 switch, but I cannot ping the inside interface from a host on a different internal subnet.  I have setup static routing on the ASA [

route inside 10.10.96.0 255.255.248.0 10.30.1.1 1]and verified that I can ping the host [10.10.96.212] from the ASA inside interface [10.30.1.5].  The inside interface is on the 10.30.1.x/24 subnet.  My host is on the 10.10.96.x/21 subnet.  From the ASA I can ping 10.10.96.212, but I cannot ping 10.30.1.5 from 10.10.96.212.  I can however ping 10.30.1.1 from 10.10.96.212.
 
This leads to my next issue, which is trying to setup the ASA to work concurrently with our current firewall.  I'm doing this in order to transition to the ASA.  I'd much prefer to cutover inbound NAT a little at a time vs. doing it all at once.  Our current firewall is setup at 10.30.1.2 and this is the default route on our L3 switch (0.0.0.0 0.0.0.0 10.30.1.2).  So my question is, if I setup an inbound NAT to one of our web servers on the 10.10.96.x subnet, will I be able to get it to route back to the ASA as opposed to ending up in asymmetric routing **** since the default route points back to our other firewall? 

View 2 Replies View Related

Cisco Firewall :: How To Configure 4GE SSM Or ASA 5510 Internal Data Ports

Feb 4, 2013

I have inherited an asa 5510 whit 4GE SSM module installed. The asa runs fine, but i can not use the 4GE SSM ports. Using  ASDM or console i can get and configure the gigabitethernet1/x ports but i can not get traffic on it. The ping from the console to the ip address of the Gigabitethernet1/0 is successful. On switches or hubs connected to those ports i can not see the port's mac address. The two Internal-data0/0 and Internal-data1/0 are down and i can get they up. How to configure 4GE SSM or ASA internal-data ports.

View 8 Replies View Related

Cisco Firewall :: ASA 5510 / Unable To Get Internal Networks Talking To Each Other

Apr 22, 2012

I am tasked with transferring all clients from one subnet to the other. I figure the nicest way to do this is to temporarily have the subnets talk to each other in an endeavour to avoid as much downtime as possible. The two internal subnets are:

192.168.0.0/24
192.168.43.0/24 (the intended migration network)
 
I am beating my head against the desk here as I dont seem to be getting anywhere after the changes I have made. The current configuration is as such:
 
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name *****
enable password ***** encrypted
passwd ***** encrypted
names

[code]......
 
Upgrading the firmware is not really an option?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Connecting To External IP Of Internal Server

Sep 25, 2012

I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network.  I have already set up dns doctoring for dns lookups, and everything is working fine there.  We have an application inside the network that tries to connect straight to the external Ip of another internal server.  where to look in the ASDM 6.4?

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Internal Address To Forward From External One

May 30, 2013

I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.

View 5 Replies View Related

Cisco Firewall :: 5510 - Connections Routing Between Two Internal ASAs Fail

May 19, 2012

We have a site with two inbound circuits, one for internet and one for our MPLS.  Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall.  For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts.  OSPF is the routing protocol between all the routers and ASA's and routing is working.  In fact, ICMP is working as well.  From an inside host (172.16.0.81), we can ping anything on the MPLS network.  But when I try to use telnet (for example), the connection fails.  If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
  
Both ASAs are running 8.4(3), and have the following commands:
 
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside

[Code]....

And from the MPLS nodes, I can see a tcp request is made. 

View 6 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Stops Forwarding Incoming Traffic To Internal Servers?

Dec 5, 2012

Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.

View 2 Replies View Related

D-Link DIR-655 :: Set Up IP Address Translation

Oct 18, 2011

I have 5 static public IP addresses assigned by my ISP. I like to use one of these static public IP addresses to access one of my PCs in my office from the outside. So I like to configure something like:65.11.22.44 <-> 192.168.1.100.This translation is good for all protocols and all ports. Where I can configure this on the DIR655?

View 2 Replies View Related

Cisco Switching/Routing :: 5505 Can't Connect To Public NAT Address From Internal Network

Dec 19, 2011

I have an ASA 5505 configured with internal network, a DMZ, and a VPN on seperate subnets.  The implicit rules allow my internal client computers to connect to the web servers on the DMZ IP, but I can not connect to the public NAT address from the internal network.  I have a DNS server on my internal network and it does resolve to the public IP correctly.  NAT seems to be working correctly because if I go outside the network and connect to the public IP or qualified name then I can get to everything correctly.  I do not see any messages in the Cisco logs and the packet trace tool shows the route of http from an internal IP adddress  to the external (NATed) address is allowed.
 
Specifically, I can go to http://192.168.1.121 from the internal (192.168.0/24) network, but I can not go to http://72.22.214.121 (the NAT address) from the internal network.  If I am outside my cisco then I can go to http://72.22.214.121 easily. [code]

View 1 Replies View Related

Cisco WAN :: Address Translation Logging ASR1006

Nov 12, 2011

I would like to know if Cisco Collector Engine 6.0 can recive and reading the sent address traslation logging of router ASR1006. Using Netflow v9.

View 4 Replies View Related

Cisco WAN :: 5510 Syslog ID 305005 No Translation Group Found

Dec 13, 2011

I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change. [code]

View 9 Replies View Related

Cisco VPN :: ASA5520 Starts To See Internal Rfc 1918 Address Instead Of Configured Address

Mar 6, 2012

I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 63.117.98.222 address.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved