Solved

How do I allow a remote subnet to access internet though the ASA

Posted on 2011-03-22
10
756 Views
Last Modified: 2012-05-11
Please tell me the command to allow a remote subnet to access the Internet through the ASA.  I need step by step commands because I am a novice at this.  
0
Comment
Question by:jtennyson
  • 6
  • 3
10 Comments
 

Author Comment

by:jtennyson
Comment Utility
Here's the problem.  I hired someone to configure my ASA and they left half of the configuration out.  I need my remote sublet 192.168.8.0 to be able to access the internet through our ASA.  I foud these commands in the old config, but I am not sure how I am supposed to put them in.

network-object 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any

access-list cap1 extended permit ip any 192.168.8.0 255.255.255.0

nat (Inside) 4 192.168.8.0 255.255.255.0

route Inside 192.168.8.0 255.255.255.0 10.153.49.151 1
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
If it's a remote subnet you'll need a route to it on the ASA:
route inside x.x.x.x 255.255.255.0 y.y.y.y
x.x.x.x = the remote subnet an y.y.y.y the gateway to get there
Then the nat setup
nat(inside) 1 x.x.x.x 255.255.255.0
global(outside) 1 interface


That should
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ah, crosspost. Discard my previous, I'll setup a new one.
0
 
LVL 4

Expert Comment

by:LeDaouk
Comment Utility
connect via telnet or hyperterminal your ISA by IP
it will ask for password
provide the password -> enter
type: ena ->
provide the password again
type: conf t
and type this command:
access-list lanout extended permit tcp host xxx.xxx.xxx.xxx any
where xxx.xxx.xxx.xxx is you subnet
also you can download cisco asdm, user interface to manage your asa.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
So atleast you'll need:

nat (Inside) 4 192.168.8.0 255.255.255.0
route Inside 192.168.8.0 255.255.255.0 10.153.49.151


Then you should check is there if a global(outside) 4 statement (assuming outside is the name of your interface) to match the nat statement.
Then last check if there is a line like access-group cap1 in interface inside. If there is, you'll need access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any as well.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jtennyson
Comment Utility
I'm so confused.  How about I show you the new config and you tell me what to put in.

sh run
: Saved
:
ASA Version 8.2(4)
!
terminal width 160
hostname ArlingtonHeights-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 12.204.121.2 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.153.49.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list vpn1 extended permit ip 10.153.50.0 255.255.255.0 10.153.49.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.50.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.248.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp any host 12.204.121.3 eq lotusnotes
access-list internet extended permit tcp any host 12.204.121.3 eq www
access-list any extended permit tcp any host 12.204.121.3 eq www
access-list outside extended permit tcp any host 12.204.121.3 eq www
access-list inside extended permit tcp any host 12.204.121.3 eq www
pager lines 40
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 12.204.121.3 10.153.49.9 netmask 255.255.255.255
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.153.50.0 255.255.255.0 inside
http 10.153.49.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set set1
crypto map map1 10 match address vpn1
crypto map map1 10 set peer 12.164.177.227
crypto map map1 10 set transform-set set1
crypto map map1 20 match address juarez_vpn
crypto map map1 20 set peer 200.67.91.52
crypto map map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet 10.153.50.0 255.255.255.0 inside
telnet 10.153.49.0 255.255.255.0 inside
telnet timeout 30
ssh 12.164.177.253 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.153.49.248 10.153.49.101
dhcpd domain corp.rgrayclamps.com
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 wins-server value 10.153.49.101
 dns-server value 10.153.49.248 10.153.49.101
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:599b9237873ee1f919049b738fcdd8b0
: end

 ArlingtonHeights-ASA#
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
By the looks of this, route Inside 192.168.8.0 255.255.255.0 10.153.49.151 should be enough.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I would advise though to replace: nat (inside) 1 0.0.0.0 0.0.0.0 with these:
nat (Inside) 1 10.153.49.0 255.255.255.0
nat (Inside) 1 192.168.8.0 255.255.255.0
0
 

Author Closing Comment

by:jtennyson
Comment Utility
Thanks so much.  That did the trick.  I will also change the NAT
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Glad I could help :) don't forget to save the configuration ;)
And Thx for the points.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now