Solved

How do I allow a remote subnet to access internet though the ASA

Posted on 2011-03-22
10
786 Views
Last Modified: 2012-05-11
Please tell me the command to allow a remote subnet to access the Internet through the ASA.  I need step by step commands because I am a novice at this.  
0
Comment
Question by:jtennyson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 

Author Comment

by:jtennyson
ID: 35190178
Here's the problem.  I hired someone to configure my ASA and they left half of the configuration out.  I need my remote sublet 192.168.8.0 to be able to access the internet through our ASA.  I foud these commands in the old config, but I am not sure how I am supposed to put them in.

network-object 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any

access-list cap1 extended permit ip any 192.168.8.0 255.255.255.0

nat (Inside) 4 192.168.8.0 255.255.255.0

route Inside 192.168.8.0 255.255.255.0 10.153.49.151 1
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35190212
If it's a remote subnet you'll need a route to it on the ASA:
route inside x.x.x.x 255.255.255.0 y.y.y.y
x.x.x.x = the remote subnet an y.y.y.y the gateway to get there
Then the nat setup
nat(inside) 1 x.x.x.x 255.255.255.0
global(outside) 1 interface


That should
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35190223
Ah, crosspost. Discard my previous, I'll setup a new one.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 4

Expert Comment

by:LeDaouk
ID: 35190235
connect via telnet or hyperterminal your ISA by IP
it will ask for password
provide the password -> enter
type: ena ->
provide the password again
type: conf t
and type this command:
access-list lanout extended permit tcp host xxx.xxx.xxx.xxx any
where xxx.xxx.xxx.xxx is you subnet
also you can download cisco asdm, user interface to manage your asa.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35190267
So atleast you'll need:

nat (Inside) 4 192.168.8.0 255.255.255.0
route Inside 192.168.8.0 255.255.255.0 10.153.49.151


Then you should check is there if a global(outside) 4 statement (assuming outside is the name of your interface) to match the nat statement.
Then last check if there is a line like access-group cap1 in interface inside. If there is, you'll need access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any as well.
0
 

Author Comment

by:jtennyson
ID: 35190446
I'm so confused.  How about I show you the new config and you tell me what to put in.

sh run
: Saved
:
ASA Version 8.2(4)
!
terminal width 160
hostname ArlingtonHeights-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 12.204.121.2 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.153.49.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list vpn1 extended permit ip 10.153.50.0 255.255.255.0 10.153.49.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.50.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.248.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp any host 12.204.121.3 eq lotusnotes
access-list internet extended permit tcp any host 12.204.121.3 eq www
access-list any extended permit tcp any host 12.204.121.3 eq www
access-list outside extended permit tcp any host 12.204.121.3 eq www
access-list inside extended permit tcp any host 12.204.121.3 eq www
pager lines 40
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 12.204.121.3 10.153.49.9 netmask 255.255.255.255
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.153.50.0 255.255.255.0 inside
http 10.153.49.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set set1
crypto map map1 10 match address vpn1
crypto map map1 10 set peer 12.164.177.227
crypto map map1 10 set transform-set set1
crypto map map1 20 match address juarez_vpn
crypto map map1 20 set peer 200.67.91.52
crypto map map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet 10.153.50.0 255.255.255.0 inside
telnet 10.153.49.0 255.255.255.0 inside
telnet timeout 30
ssh 12.164.177.253 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.153.49.248 10.153.49.101
dhcpd domain corp.rgrayclamps.com
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 wins-server value 10.153.49.101
 dns-server value 10.153.49.248 10.153.49.101
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:599b9237873ee1f919049b738fcdd8b0
: end

 ArlingtonHeights-ASA#
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35190468
By the looks of this, route Inside 192.168.8.0 255.255.255.0 10.153.49.151 should be enough.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35190509
I would advise though to replace: nat (inside) 1 0.0.0.0 0.0.0.0 with these:
nat (Inside) 1 10.153.49.0 255.255.255.0
nat (Inside) 1 192.168.8.0 255.255.255.0
0
 

Author Closing Comment

by:jtennyson
ID: 35190880
Thanks so much.  That did the trick.  I will also change the NAT
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35190959
Glad I could help :) don't forget to save the configuration ;)
And Thx for the points.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question