How to configure static nat on asa 5510 ver 8.2

Hi
How can I static Nat RDP traffic from external ip to internal host 10.10.10.50

Interface e0/0
Nameif outside
Security-level 0
Ip address 196.1.1.1 255.255.255.248

Interface e0/1
Nameif inside
Security-level 100
Ip address 10.10.10.1 255.255.255.0
ciscosuppAsked:
Who is Participating?
 
fgasimzadeConnect With a Mentor Commented:
You definitely need a DG on both the laptop and server, otherwise it won't work
0
 
fgasimzadeCommented:
Option #1

static (inside,outside) tcp 196.1.1.1 3389 10.10.10.1 3389 netmask  255.255.255.255

access-list outside_access_in extended permit ip any host 196.1.1.1

access-group outside_access_in in interface outside

Option #2

static (inside,outside) 196.1.1.1 10.10.10.1 netmask  255.255.255.255

access-list outside_access_in extended permit tcp any host 196.1.1.1 eq 3389

access-group outside_access_in in interface outside
0
 
ciscosuppAuthor Commented:
i tried option 2 but get error

Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

and mustn't it be 10.10.10.50 instead of 10.10.10.1 as my host internal has a ip of 10.10.10.50

please advice
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
fgasimzadeCommented:
Oops, sorry, it should be
Static (inside,outside) interface 10.10.10.50 netmask 255.255.255.255


Access list remains the same
0
 
ciscosuppAuthor Commented:
thanks
now i get this error


%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.251 dst inside:10.10.10.2 (type 8, code 0) denied due to NAT reverse path failure
0
 
fgasimzadeCommented:
Can you post your config pls
0
 
ciscosuppAuthor Commented:
see attached file
ASA-Config.txt
0
 
fgasimzadeCommented:
First, I can not see your static NAT for 10.10.10.50

Secondly, what is 10.10.10.2? You will not be able to use both IP addresses to NAT to  the same outside interface

And the main thing is that your default gateway is pointing to 192.168.1.1.

If you want your NAT to be working, you need to have a default route pointing out from outside interface
0
 
ciscosuppAuthor Commented:
I changed my servers ip to 10.10.10.2 and the default gateway is a adsl modem.
Its only a test lab.
Please see attached diagram
Diagram.jpg
0
 
fgasimzadeCommented:
This is where the problem is - Asymmetric routing

Since you have 192.168.1.100 configured on the outside interface your 10.10.10.2 is NATed to 192.168.1.100

You can configure NAT for 10.10.10.2 on ADSL modem or you would need to change your outside IP address to 196.1.1.1
0
 
Ernie BeekExpertCommented:
A few things:

-Like fgasimzade said, you can't NAT the outside interface to multiple inside addresses. You'll need to do PAT ( fgasimzade's option 1). Or, the way it's set up right now, you could use a second address to nat from the outside to 10.10.10.2 (for example: static (inside,outside) 192.168.1.101 10.10.10.2 netmask  255.255.255.255).
Even better would be to not do a 1:1 NAT on the interface address but also use a different IP for that, like: static (inside,outside) 192.168.1.102 10.10.10.50 netmask  255.255.255.255

-Is that IP 196.1.1.1 a typo or are you using that somewhere else?

-Your server 10.10.10.2 will need a default gateway (like fgasimzade already said), otherwise it won't 'know' how to get to other networks than it's own.
0
 
ciscosuppAuthor Commented:
Thanks for info.
I did a small change I plugged my laptop directly into asa interface e0/0 and server directly into asa interface 0/1. My laptops ip is 196.12.10.2/24 and server ip is 10.10.10.2/24
but still not working see my config
LAB# show run
: Saved
:
ASA Version 8.2(2)
!
hostname LAB
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 196.12.10.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq 3389
access-list outside extended permit tcp any host 196.12.10.1 eq 3389
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list inside extended permit icmp any any
access-list inside extended permit tcp any any eq domain
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit tcp any any eq https
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) interface 10.10.10.2 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

LAB# show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 185
0
 
Ernie BeekConnect With a Mentor ExpertCommented:
First, get rid of the inside accesslist:
no access-group inside in interface inside

And see what happens.
Also keep an eye on the logging (realtime through ASDM), it might give you some extra clues what is not quite right yet.
0
 
ciscosuppAuthor Commented:
i removed acl (no access-group inside in interface inside)
still not working see asa log file attached i dont understand why its not working



LAB#   show nat

NAT policies on Interface inside:
  match ip inside host 10.10.10.2 outside any
    static translation to 196.12.10.1
    translate_hits = 0, untranslate_hits = 632
asa-log.txt
0
 
fgasimzadeCommented:
What exactly is not working?

Make sure you turned off firewall on your laptop
0
 
ciscosuppAuthor Commented:
nat is not working as i cannot rdp with ip address 196.12.10.1
firewall is off on both pc and server and if i add default gateway i can rdp on to 10.10.10.2 its working
0
 
fgasimzadeCommented:
Where do you add DG?
0
 
ciscosuppAuthor Commented:
on laptop and server so it routed
0
 
ciscosuppAuthor Commented:
i am so fucking retarded
:-)
0
 
Ernie BeekExpertCommented:
No you're not :D

You just need some extra pairs of eyes every now and then :)
0
 
ciscosuppAuthor Commented:
hahahah that is true especially in IT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.