Solved

cisco ASA 5505

Posted on 2007-11-15
15
265 Views
Last Modified: 2010-04-17
Hi guys,
If I have the following ip addresses
inside --> 10.3.3.1
outside --> 10..4.4.1

How can I creat a NAT between two hosts and routing the packet???
0
Comment
Question by:nsamri
  • 9
  • 5
15 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
Comment Utility
You should supply a bit more information about what you are trying to achieve.
0
 

Author Comment

by:nsamri
Comment Utility
Hi,
I mean I want to create NAT between two machines and I have two interfaces 10.3.3.1 and 10.4.4.1 using cisco ASA 5505 equipment. How can I do that and how can make sure the two machines are connected?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
Comment Utility
Assuming the following example values, here is how to do it:

inside host IP - 10.3.3.20
outside host IP - 10.4.4.20

------BEGIN COMMANDS FOR PAT--------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
------END COMMANDS FOR PAT----------

The above example will translate the inside host (or any inside host for that matter) to 10.4.4.1 (the outside interface IP) when sending traffic to the outside (many to one NAT).

If you want the inside host at 10.3.3.20 to look like a specific IP address on the outside when sending traffic, then you would use a "static" command for a one-to-one NAT, like this:

---------BEGIN COMMANDS FOR STATIC NAT--------
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
---------END COMMANDS FOR STATIC NAT--------

The above static command will cause the inside IP at 10.3.3.20 to be translated to 10.4.4.10 when sending traffic to the outside (one-to-one NAT).

Most likely, the PAT (Port Address Translation) example will suffice for your needs unless you also need to be able to initiate traffic from the outside host inbound to the inside host.  If that is the case, then you will want to use the "static" example above.
0
 

Author Comment

by:nsamri
Comment Utility
I really appreciate your answer, but I don't understand this command "global (outside) 1 interface"
what does interface here mean?

another question: according to your commands above, can two hosts are seen each other. I mean assume we have host A and host B can they see each other?
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
It means to use the IP address of the outside interface itself for the outside translation.  So, if the outside interface IP address is 10.4.4.1, then any traffic entering the inside interface will be translated to 10.4.4.1 when going to the outside interface.

The inside can see the outside and can initiate traffic to the outside host and the outside host will be allowed to send return traffic from an established traffic flow back to the inside host.  However, the outside host cannot initiate traffic to the inside host unless you specifically allow that to happen with an ACL statement.  Something like:

access-list outside_access_in permit ip host 10.4.4.20 host 10.4.4.10
access-group outside_access_in in interface outside
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255

Those 3 commands above will allow the outside host 10.4.4.20 to send any IP traffic to host 10.4.4.10 (translated into 10.3.3.20 on the inside).
0
 

Author Comment

by:nsamri
Comment Utility
Thank so much. I will do that today and I will tell you what happened.
0
 

Author Comment

by:nsamri
Comment Utility
Hi
I did what you wrote above, but I still have a problem in pinging. when I ping two hosts each other to see the estableshment is working or not, it is given time request out.
 Can please help me?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
You'll have to allow the echo reply traffic back in from the outside host with something like the following:

access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside

However, just for accuracy, post your current config and I can give you the exact commands so that you can ping your outside host from the inside.  If you want to ping the inside host from the outside, then I will give you the commands to do that as well (different commands for that).
0
 

Author Comment

by:nsamri
Comment Utility
here is myconfiguration:

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4bcecaa2ea81894bc5483e35b4097073
: end
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Remove the inside interface access lists with the following commands:

no access-group inside_access_in in interface inside
no access-group inside_access_out out interface inside

Add the following command to allow inside hosts to ping outside hosts:

access-list outside_access_in permit icmp any any echo-reply

If you want the outside host to be able to ping the inside host, add the following line:

access-list outside_access_in permit icmp any host 10.4.4.10

I wouldn't leave that last ACL statement in there, just long enough for testing and troubleshooting...
0
 

Author Comment

by:nsamri
Comment Utility
Thank you batry boy, I'll do it and I'll let you know soon.
0
 

Author Comment

by:nsamri
Comment Utility
Hi guys ,
 I tried to ping between two hosts but it didn't work eventhough I used the Batry boy command above. Here is a my configuration below.
Could you please help me ?

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7c2c209e71865b13c87cc4635e8fdb7
: end

0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
What was the source and destination of the ping test?

Also, you have the same security level applied to both the inside and outside interfaces.  This is not advisable.  I would set the outside security level to 0 which means that it is the least trusted interface.  You can do that with these commands:

int vlan2
security-level 0
0
 

Author Comment

by:nsamri
Comment Utility
I have two hosts:
ip address of host A --> 10.3.3.8
default gateway 10.3.3.1
ip address of host B--> 10.4.4.4
default gateway 10.4.4.1

I did ping A 10.3.3.1 and 10.3.3.8 they are working, but from A to B like ping 10.4.4.4 it didn't work.
I did also ping B 10.4.4.1 and 10.4.4.4 both are not working and form B to A it didn't work.
0
 

Author Comment

by:nsamri
Comment Utility
Any suggestions
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now