How do I configure NAT/ACL on Cisco ASA 5510?

I'm currently playing around with a CIsco ASA 5510 and the device keeps dropping packets I'm trying to pass on to another router. I've attached a basic image of the network and as you can see it is fairly straight forward.

All I'm trying to do is allow HTTP/HTTPS traffic from the 'external' network (145.67.85.0) through to the internal network (192.168.50.0) and vice versa. The static route has been entered (145 traffic to be sent to 10.0.0.150). From the internal network I can access the 10.0.0.150 device so I know it can talk to it ok, but as soon as I try to use the packet trace app on ASDM it drops all the time due to ACL's so I cant hit the 145 network.

I'll probably need to post the config but I was hoping someone might be able to put together the CLI bits I need so I can go through and understand what I've missed.
Basic.png
v0r73xAsked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:
There is a feature in ASA to permit traffic to flow on interfaces with the same security level:  

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html  Look at the bottom of that page for the commands.    

Kind of defeats the purpose of having a firewall here...   A router would probably be a better choice unless there are interfaces that you haven't diagrammed....
0
 
MikeKaneCommented:
The code would help.   But basically to allow traffic from a lower security interface (the outside) to the higher sec interface (the inside), you need to create a static map for 1 internal IP mapped to either an external ip or by using a port forward on the firewall's interface.    Once the internal machine is mapped to an external IP, you must create the ACL to allow specific traffic onto the Static map.  

Have a look here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

That is an explanation using a DMZ, but the process is exactly the same for the inside network.  

0
 
v0r73xAuthor Commented:
What I'm hoping to acheive is any network user in 192 to access the 145 network. So I didn't think the Static NAT would work for this?

At current a NAT Expempt rule exists for 192 to 10 and I can access the 10 network. Unfortunately I cant get out to 145 from 192 yet.

It's probably just me confusing myself, I'll tidy up the config and post shortly
0
 
MikeKaneCommented:
Actually,  as I re-read your post just now....   If the 192 network is on a higher security interface (inside) and 145 is on a lower interface (outside)  then a simple Nat rule would work just fine.    Its only if you want 145 traffic to freely visit 192 that the problem would arise.    


Here is the NAT example.    
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml
0
 
v0r73xAuthor Commented:
As it's connecting to another trusted network it was just adding it to the same security level and allowing same security communication. Many thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.