?
Solved

How do I configure NAT/ACL on Cisco ASA 5510?

Posted on 2009-02-11
5
Medium Priority
?
1,596 Views
Last Modified: 2012-05-06
I'm currently playing around with a CIsco ASA 5510 and the device keeps dropping packets I'm trying to pass on to another router. I've attached a basic image of the network and as you can see it is fairly straight forward.

All I'm trying to do is allow HTTP/HTTPS traffic from the 'external' network (145.67.85.0) through to the internal network (192.168.50.0) and vice versa. The static route has been entered (145 traffic to be sent to 10.0.0.150). From the internal network I can access the 10.0.0.150 device so I know it can talk to it ok, but as soon as I try to use the packet trace app on ASDM it drops all the time due to ACL's so I cant hit the 145 network.

I'll probably need to post the config but I was hoping someone might be able to put together the CLI bits I need so I can go through and understand what I've missed.
Basic.png
0
Comment
Question by:v0r73x
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 23612449
The code would help.   But basically to allow traffic from a lower security interface (the outside) to the higher sec interface (the inside), you need to create a static map for 1 internal IP mapped to either an external ip or by using a port forward on the firewall's interface.    Once the internal machine is mapped to an external IP, you must create the ACL to allow specific traffic onto the Static map.  

Have a look here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

That is an explanation using a DMZ, but the process is exactly the same for the inside network.  

0
 

Author Comment

by:v0r73x
ID: 23648382
What I'm hoping to acheive is any network user in 192 to access the 145 network. So I didn't think the Static NAT would work for this?

At current a NAT Expempt rule exists for 192 to 10 and I can access the 10 network. Unfortunately I cant get out to 145 from 192 yet.

It's probably just me confusing myself, I'll tidy up the config and post shortly
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 23652911
There is a feature in ASA to permit traffic to flow on interfaces with the same security level:  

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html  Look at the bottom of that page for the commands.    

Kind of defeats the purpose of having a firewall here...   A router would probably be a better choice unless there are interfaces that you haven't diagrammed....
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 23652938
Actually,  as I re-read your post just now....   If the 192 network is on a higher security interface (inside) and 145 is on a lower interface (outside)  then a simple Nat rule would work just fine.    Its only if you want 145 traffic to freely visit 192 that the problem would arise.    


Here is the NAT example.    
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml
0
 

Author Closing Comment

by:v0r73x
ID: 31545583
As it's connecting to another trusted network it was just adding it to the same security level and allowing same security communication. Many thanks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month14 days, 14 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question