NAT Question...

Dan560
Dan560 used Ask the Experts™
on
Hi,

I have a question that for the life of me I cannot work out the answer to.

I have Cisco asa 5505 it's IP address is 172.25.25.3.
I have a VLAN from this Firewall that connects to my telephone system 192.168.200.x.
Please note I have no management access to this system.

I have configured it so that everything on 172.25.25.x can connect to the telephone system using the VLAN as it's gateway. The VLAN IP 192.168.200.253 - This setup works ok.

However I now need to allow everything on telephone network to connect to my 172.25.25.x network.

Can anyone explain the setup for me? I just cannot get my head round what I need to change on my side.

I can post config if needed.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Please post the config. That should make it a bit easier for us.

Author

Commented:
Please find the config attached.
config.txt
Senior infrastructure engineer
Top Expert 2012
Commented:
Try adding the following:

static (inside,TN) 172.25.25.0 172.25.25.0 netmask 255.255.255.0
access-list tn_acl extended permit ip 192.168.200.0 255.255.255.0 172.25.25.0 255.255.255.0


And see if that works for you.

Author

Commented:
Are you sure this will work. I am not sure why the IP address is repeated in your command?

Can you please explain?

static (inside,TN) 172.25.25.0 172.25.25.0 netmask 255.255.255.0
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
When going from a high security to a low security interface in an ASA you need to nat (this is a security feature). By doing it this way traffic from the inside will be natted to itself so 172.25.25.1 will appear as 172.25.25.1 on the TN network (for example).

Author

Commented:
I haven't had a chance to test this yet, I think I will only be able to do it out of hours.

However I have just read this question..

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27248707.html

Maybe I only need to set my TN interface with the same security level i.e 100
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
That is also an option if you don't mind those interfaces having the same security level. In this case I don't think it will be a problem because you're not using the TN as a DMZ.

Author

Commented:
your command worked.thank you.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
My pleasure :)

Thx 4 the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial