jtennyson
asked on
How do I allow a remote subnet to access internet though the ASA
Please tell me the command to allow a remote subnet to access the Internet through the ASA. I need step by step commands because I am a novice at this.
If it's a remote subnet you'll need a route to it on the ASA:
route inside x.x.x.x 255.255.255.0 y.y.y.y
x.x.x.x = the remote subnet an y.y.y.y the gateway to get there
Then the nat setup
nat(inside) 1 x.x.x.x 255.255.255.0
global(outside) 1 interface
That should
route inside x.x.x.x 255.255.255.0 y.y.y.y
x.x.x.x = the remote subnet an y.y.y.y the gateway to get there
Then the nat setup
nat(inside) 1 x.x.x.x 255.255.255.0
global(outside) 1 interface
That should
Ah, crosspost. Discard my previous, I'll setup a new one.
connect via telnet or hyperterminal your ISA by IP
it will ask for password
provide the password -> enter
type: ena ->
provide the password again
type: conf t
and type this command:
access-list lanout extended permit tcp host xxx.xxx.xxx.xxx any
where xxx.xxx.xxx.xxx is you subnet
also you can download cisco asdm, user interface to manage your asa.
it will ask for password
provide the password -> enter
type: ena ->
provide the password again
type: conf t
and type this command:
access-list lanout extended permit tcp host xxx.xxx.xxx.xxx any
where xxx.xxx.xxx.xxx is you subnet
also you can download cisco asdm, user interface to manage your asa.
So atleast you'll need:
nat (Inside) 4 192.168.8.0 255.255.255.0
route Inside 192.168.8.0 255.255.255.0 10.153.49.151
Then you should check is there if a global(outside) 4 statement (assuming outside is the name of your interface) to match the nat statement.
Then last check if there is a line like access-group cap1 in interface inside. If there is, you'll need access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any as well.
nat (Inside) 4 192.168.8.0 255.255.255.0
route Inside 192.168.8.0 255.255.255.0 10.153.49.151
Then you should check is there if a global(outside) 4 statement (assuming outside is the name of your interface) to match the nat statement.
Then last check if there is a line like access-group cap1 in interface inside. If there is, you'll need access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any as well.
ASKER
I'm so confused. How about I show you the new config and you tell me what to put in.
sh run
: Saved
:
ASA Version 8.2(4)
!
terminal width 160
hostname ArlingtonHeights-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.204.121.2 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.153.49.20 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list vpn1 extended permit ip 10.153.50.0 255.255.255.0 10.153.49.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.50.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.248.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp any host 12.204.121.3 eq lotusnotes
access-list internet extended permit tcp any host 12.204.121.3 eq www
access-list any extended permit tcp any host 12.204.121.3 eq www
access-list outside extended permit tcp any host 12.204.121.3 eq www
access-list inside extended permit tcp any host 12.204.121.3 eq www
pager lines 40
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 12.204.121.3 10.153.49.9 netmask 255.255.255.255
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framewor k-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.153.50.0 255.255.255.0 inside
http 10.153.49.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set set1
crypto map map1 10 match address vpn1
crypto map map1 10 set peer 12.164.177.227
crypto map map1 10 set transform-set set1
crypto map map1 20 match address juarez_vpn
crypto map map1 20 set peer 200.67.91.52
crypto map map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 10.153.50.0 255.255.255.0 inside
telnet 10.153.49.0 255.255.255.0 inside
telnet timeout 30
ssh 12.164.177.253 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.153.49.248 10.153.49.101
dhcpd domain corp.rgrayclamps.com
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
wins-server value 10.153.49.101
dns-server value 10.153.49.248 10.153.49.101
nac-settings value DfltGrpPolicy-nac-framewor k-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:599b9237873 ee1f919049 b738fcdd8b 0
: end
ArlingtonHeights-ASA#
sh run
: Saved
:
ASA Version 8.2(4)
!
terminal width 160
hostname ArlingtonHeights-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.204.121.2 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.153.49.20 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list vpn1 extended permit ip 10.153.50.0 255.255.255.0 10.153.49.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.50.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.248.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp any host 12.204.121.3 eq lotusnotes
access-list internet extended permit tcp any host 12.204.121.3 eq www
access-list any extended permit tcp any host 12.204.121.3 eq www
access-list outside extended permit tcp any host 12.204.121.3 eq www
access-list inside extended permit tcp any host 12.204.121.3 eq www
pager lines 40
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 12.204.121.3 10.153.49.9 netmask 255.255.255.255
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.153.50.0 255.255.255.0 inside
http 10.153.49.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set set1
crypto map map1 10 match address vpn1
crypto map map1 10 set peer 12.164.177.227
crypto map map1 10 set transform-set set1
crypto map map1 20 match address juarez_vpn
crypto map map1 20 set peer 200.67.91.52
crypto map map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 10.153.50.0 255.255.255.0 inside
telnet 10.153.49.0 255.255.255.0 inside
telnet timeout 30
ssh 12.164.177.253 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.153.49.248 10.153.49.101
dhcpd domain corp.rgrayclamps.com
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
wins-server value 10.153.49.101
dns-server value 10.153.49.248 10.153.49.101
nac-settings value DfltGrpPolicy-nac-framewor
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:599b9237873
: end
ArlingtonHeights-ASA#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would advise though to replace: nat (inside) 1 0.0.0.0 0.0.0.0 with these:
nat (Inside) 1 10.153.49.0 255.255.255.0
nat (Inside) 1 192.168.8.0 255.255.255.0
nat (Inside) 1 10.153.49.0 255.255.255.0
nat (Inside) 1 192.168.8.0 255.255.255.0
ASKER
Thanks so much. That did the trick. I will also change the NAT
Glad I could help :) don't forget to save the configuration ;)
And Thx for the points.
And Thx for the points.
ASKER
network-object 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any
access-list cap1 extended permit ip any 192.168.8.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
route Inside 192.168.8.0 255.255.255.0 10.153.49.151 1