We help IT Professionals succeed at work.

How do I configure NAT/ACL on Cisco ASA 5510?

v0r73x
v0r73x asked
on
Medium Priority
1,657 Views
Last Modified: 2012-05-06
I'm currently playing around with a CIsco ASA 5510 and the device keeps dropping packets I'm trying to pass on to another router. I've attached a basic image of the network and as you can see it is fairly straight forward.

All I'm trying to do is allow HTTP/HTTPS traffic from the 'external' network (145.67.85.0) through to the internal network (192.168.50.0) and vice versa. The static route has been entered (145 traffic to be sent to 10.0.0.150). From the internal network I can access the 10.0.0.150 device so I know it can talk to it ok, but as soon as I try to use the packet trace app on ASDM it drops all the time due to ACL's so I cant hit the 145 network.

I'll probably need to post the config but I was hoping someone might be able to put together the CLI bits I need so I can go through and understand what I've missed.
Basic.png
Comment
Watch Question

Top Expert 2010

Commented:
The code would help.   But basically to allow traffic from a lower security interface (the outside) to the higher sec interface (the inside), you need to create a static map for 1 internal IP mapped to either an external ip or by using a port forward on the firewall's interface.    Once the internal machine is mapped to an external IP, you must create the ACL to allow specific traffic onto the Static map.  

Have a look here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

That is an explanation using a DMZ, but the process is exactly the same for the inside network.  

Author

Commented:
What I'm hoping to acheive is any network user in 192 to access the 145 network. So I didn't think the Static NAT would work for this?

At current a NAT Expempt rule exists for 192 to 10 and I can access the 10 network. Unfortunately I cant get out to 145 from 192 yet.

It's probably just me confusing myself, I'll tidy up the config and post shortly
Top Expert 2010
Commented:
There is a feature in ASA to permit traffic to flow on interfaces with the same security level:  

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html  Look at the bottom of that page for the commands.    

Kind of defeats the purpose of having a firewall here...   A router would probably be a better choice unless there are interfaces that you haven't diagrammed....

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2010

Commented:
Actually,  as I re-read your post just now....   If the 192 network is on a higher security interface (inside) and 145 is on a lower interface (outside)  then a simple Nat rule would work just fine.    Its only if you want 145 traffic to freely visit 192 that the problem would arise.    


Here is the NAT example.    
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml

Author

Commented:
As it's connecting to another trusted network it was just adding it to the same security level and allowing same security communication. Many thanks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.