Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cisco ASA 5505

Posted on 2007-11-15
15
Medium Priority
?
272 Views
Last Modified: 2010-04-17
Hi guys,
If I have the following ip addresses
inside --> 10.3.3.1
outside --> 10..4.4.1

How can I creat a NAT between two hosts and routing the packet???
0
Comment
Question by:nsamri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
15 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 20298307
You should supply a bit more information about what you are trying to achieve.
0
 

Author Comment

by:nsamri
ID: 20298928
Hi,
I mean I want to create NAT between two machines and I have two interfaces 10.3.3.1 and 10.4.4.1 using cisco ASA 5505 equipment. How can I do that and how can make sure the two machines are connected?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1000 total points
ID: 20299245
Assuming the following example values, here is how to do it:

inside host IP - 10.3.3.20
outside host IP - 10.4.4.20

------BEGIN COMMANDS FOR PAT--------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
------END COMMANDS FOR PAT----------

The above example will translate the inside host (or any inside host for that matter) to 10.4.4.1 (the outside interface IP) when sending traffic to the outside (many to one NAT).

If you want the inside host at 10.3.3.20 to look like a specific IP address on the outside when sending traffic, then you would use a "static" command for a one-to-one NAT, like this:

---------BEGIN COMMANDS FOR STATIC NAT--------
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
---------END COMMANDS FOR STATIC NAT--------

The above static command will cause the inside IP at 10.3.3.20 to be translated to 10.4.4.10 when sending traffic to the outside (one-to-one NAT).

Most likely, the PAT (Port Address Translation) example will suffice for your needs unless you also need to be able to initiate traffic from the outside host inbound to the inside host.  If that is the case, then you will want to use the "static" example above.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:nsamri
ID: 20299512
I really appreciate your answer, but I don't understand this command "global (outside) 1 interface"
what does interface here mean?

another question: according to your commands above, can two hosts are seen each other. I mean assume we have host A and host B can they see each other?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20299636
It means to use the IP address of the outside interface itself for the outside translation.  So, if the outside interface IP address is 10.4.4.1, then any traffic entering the inside interface will be translated to 10.4.4.1 when going to the outside interface.

The inside can see the outside and can initiate traffic to the outside host and the outside host will be allowed to send return traffic from an established traffic flow back to the inside host.  However, the outside host cannot initiate traffic to the inside host unless you specifically allow that to happen with an ACL statement.  Something like:

access-list outside_access_in permit ip host 10.4.4.20 host 10.4.4.10
access-group outside_access_in in interface outside
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255

Those 3 commands above will allow the outside host 10.4.4.20 to send any IP traffic to host 10.4.4.10 (translated into 10.3.3.20 on the inside).
0
 

Author Comment

by:nsamri
ID: 20299772
Thank so much. I will do that today and I will tell you what happened.
0
 

Author Comment

by:nsamri
ID: 20301379
Hi
I did what you wrote above, but I still have a problem in pinging. when I ping two hosts each other to see the estableshment is working or not, it is given time request out.
 Can please help me?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20301522
You'll have to allow the echo reply traffic back in from the outside host with something like the following:

access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside

However, just for accuracy, post your current config and I can give you the exact commands so that you can ping your outside host from the inside.  If you want to ping the inside host from the outside, then I will give you the commands to do that as well (different commands for that).
0
 

Author Comment

by:nsamri
ID: 20301723
here is myconfiguration:

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 10.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4bcecaa2ea81894bc5483e35b4097073
: end
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20301928
Remove the inside interface access lists with the following commands:

no access-group inside_access_in in interface inside
no access-group inside_access_out out interface inside

Add the following command to allow inside hosts to ping outside hosts:

access-list outside_access_in permit icmp any any echo-reply

If you want the outside host to be able to ping the inside host, add the following line:

access-list outside_access_in permit icmp any host 10.4.4.10

I wouldn't leave that last ACL statement in there, just long enough for testing and troubleshooting...
0
 

Author Comment

by:nsamri
ID: 20302237
Thank you batry boy, I'll do it and I'll let you know soon.
0
 

Author Comment

by:nsamri
ID: 20306315
Hi guys ,
 I tried to ping between two hosts but it didn't work eventhough I used the Batry boy command above. Here is a my configuration below.
Could you please help me ?

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password K2T/yDv1cYSJKgZq encrypted
names
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 10.4.4.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 10.4.4.0
 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 10.
4.4.50
access-list outside_access_in extended permit ip host 10.4.4.20 host 10.4.4.10
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any host 10.4.4.10
access-list inside_access_in extended permit icmp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list inside_access_out extended permit tcp 10.3.3.0 255.255.255.0 10.4.4.
0 255.255.255.0
access-list ouside_access_in extended permit icmp any any echo-reply
access-list inside_nat0_outbound extended permit ip any 10.4.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.4.4.10 10.3.3.20 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.4.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.4.4.2-10.4.4.12 outside
dhcpd enable outside
!
dhcpd address 10.3.3.2-10.3.3.129 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7c2c209e71865b13c87cc4635e8fdb7
: end

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20306353
What was the source and destination of the ping test?

Also, you have the same security level applied to both the inside and outside interfaces.  This is not advisable.  I would set the outside security level to 0 which means that it is the least trusted interface.  You can do that with these commands:

int vlan2
security-level 0
0
 

Author Comment

by:nsamri
ID: 20306386
I have two hosts:
ip address of host A --> 10.3.3.8
default gateway 10.3.3.1
ip address of host B--> 10.4.4.4
default gateway 10.4.4.1

I did ping A 10.3.3.1 and 10.3.3.8 they are working, but from A to B like ping 10.4.4.4 it didn't work.
I did also ping B 10.4.4.1 and 10.4.4.4 both are not working and form B to A it didn't work.
0
 

Author Comment

by:nsamri
ID: 20306446
Any suggestions
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question