Solved

nat rule on CISCO Pix

Posted on 2013-10-31
8
619 Views
Last Modified: 2013-11-06
Hi Guys,

I want to set up a nat rule (externally) so when i try and view my webcam on ip address on 192.168.20.90 on port 8081

Our ip is the194 one

i tried setting up but it was telling me it was conflicting with the 20.1 rule
Q-28282039nat-ruleA.jpg
0
Comment
Question by:jonathanduane2010
  • 4
  • 3
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39613874
That is correct.
You're using a 1:1 NAT from the .194 to the 20.1 so you can't set up a second one from the same outside address to another internal address.
If you want to use that public IP for both internal addresses you'll have to PAT them, so forward ports from the public IP to those 2 internal ones.

Is there a specific reason you set up the first NAT rule this way?
0
 

Author Comment

by:jonathanduane2010
ID: 39621034
whatever works would be fine with me,
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39621050
Ok, let's have a look then.

Could you first post a sanitized config of your ASA, or at least the part showing the 'static' commands and the access list for the outside interface?
That way it should be easy to point out what changes have to be made.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jonathanduane2010
ID: 39621137
ok here are the list of access rules?

I can show you a list of nat rules too??
Q-28282039access-rulesA.bmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39621159
Well, if you could.

But could you show them in a different way?
Go to: Tools->command line interface and give the command 'wr t' (without the quotes).
That will give you a textual config (I'm more a CLI type :)

Oh, and do some sanitizing. Remove the more confidential stuff like public address (blank a part of it or change it to another address), usernames, etc. We don't want the whole world to see that ;)

Thinking of it, I'll ask a mod/TA to clean the pictures you posted. Paranoid? Perhaps, but better safe than sorry.
0
 

Author Comment

by:jonathanduane2010
ID: 39621259
ok all sensitive info is out

thank you

Result of the command: "wr t"

: Saved
:
ASA Version 8.0(4) 
!
hostname test
domain-name default.domain.invalid
enable password password encrypted
passwd password encrypted
names
name 192.168.20.90 Cam
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 95.45.254.82 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif OutsideNew
 security-level 0
 ip address 99.140.211.206 255.255.255.240 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
!
time-range inter
 periodic daily 19:12 to 19:14
!
time-range li
 periodic daily 19:26 to 19:29
!
time-range newstime
 periodic daily 16:50 to 16:58
 periodic weekdays 9:50 to 9:58
 periodic daily 13:50 to 13:58
 periodic daily 14:50 to 14:58
 periodic daily 15:50 to 15:58
 periodic daily 9:50 to 9:58
 periodic daily 11:50 to 23:58
 periodic daily 8:50 to 8:58
 periodic daily 10:50 to 10:58
 periodic daily 20:12 to 20:15
 periodic daily 19:50 to 19:58
 periodic daily 12:50 to 12:58
 periodic daily 18:50 to 18:58
!
time-range test
 periodic daily 18:32 to 18:35
!
time-range uy
 periodic daily 18:40 to 18:43
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mailserver
 network-object host 192.168.20.1
object-group service SERVICES tcp
 port-object eq www
 port-object eq smtp
 port-object eq pop3
 port-object eq 3000
 port-object eq 3389
 port-object eq imap4
object-group service UDPSERVICES udp
 port-object eq 3389
object-group network LAN
 network-object 192.168.20.0 255.255.255.0
object-group service WWW tcp
 port-object eq www
object-group service TIELINE tcp-udp
 port-object eq 9000
 port-object eq 9002
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object host 192.168.20.189
object-group service cam tcp
 port-object eq 8081
access-list WAN_LAN extended permit tcp any host 95.45.254.84 object-group SERVICES log 
access-list WAN_LAN extended permit udp any host 95.45.254.84 object-group UDPSERVICES log 
access-list WAN_LAN extended permit tcp any host 95.45.254.85 object-group WWW log 
access-list WAN_LAN extended permit tcp any host 95.45.254.86 object-group TIELINE log 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.16.8.0 255.255.255.0 
access-list LAN-WAN extended permit tcp object-group LAN any object-group SERVICES 
access-list LAN-WAN extended permit ip object-group mailserver any 
access-list split standard permit 192.168.20.0 255.255.255.0 
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 object-group SERVICES 
access-list OutsideNew_access_in extended permit udp any host 99.140.211.194 object-group UDPSERVICES 
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.195 object-group WWW 
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.199 object-group TIELINE 
access-list OutsideNew_access_in extended permit tcp 62.190.143.32 255.255.255.224 host 99.140.211.195 eq 3389 
access-list OutsideNew_access_in remark telnet
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 eq telnet 
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 object-group cam 
access-list inside_access_in extended permit ip any any inactive 
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 95.131.90.85 object-group WWW 
access-list inside_access_in extended deny tcp host 192.168.20.231 any object-group WWW time-range newstime inactive 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu OutsideNew 1500
mtu management 1500
ip local pool vpnpool 192.16.8.2-192.16.8.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (OutsideNew) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 95.45.254.85 192.168.20.2 netmask 255.255.255.255 
static (inside,outside) 95.45.254.86 192.168.20.52 netmask 255.255.255.255 
static (inside,outside) 95.45.254.84 192.168.20.1 netmask 255.255.255.255 dns 
static (inside,OutsideNew) 99.140.211.194 192.168.20.1 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.195 192.168.20.2 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.199 192.168.20.52 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.196 192.168.20.53 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.198 192.168.20.60 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.199 192.168.20.61 netmask 255.255.255.255 
static (inside,OutsideNew) 99.140.211.200 192.168.20.62 netmask 255.255.255.255 
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group OutsideNew_access_in in interface OutsideNew
route outside 0.0.0.0 0.0.0.0 95.45.254.81 1
route OutsideNew 0.0.0.0 0.0.0.0 99.140.211.193 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 213.94.194.99 255.255.255.255 outside
http 192.168.20.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 62.190.143.32 255.255.255.224 OutsideNew
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
crypto ipsec transform-set vpnsettings esp-3des esp-md5-hmac 
crypto ipsec transform-set remotesettings esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remoteclient 20 set transform-set remotesettings
crypto dynamic-map remoteclient 20 set security-association lifetime seconds 28800
crypto dynamic-map remoteclient 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OutsideNew_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideNew_map interface OutsideNew
crypto isakmp identity address 
crypto isakmp enable OutsideNew
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 159.134.222.0 255.255.254.0 outside
ssh 86.49.126.54 255.255.255.255 outside
ssh 213.94.194.99 255.255.255.255 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh 62.190.43.32 255.255.255.224 OutsideNew
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value test.ie

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
 address-pool vpnpool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 2
 isakmp ikev1-user-authentication none
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:42c999b269413f69b984f6158afc114d
: end
[OK]

Open in new window

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 445 total points
ID: 39621284
Right, here we go.

First, we need to remove the (1:1) static:

no static (inside,OutsideNew) 99.140.211.194 192.168.20.1 netmask 255.255.255.255

Now we open up the ports that go to the 192.168.20.1 (can't use object groups here, so we need to define every port):

static (inside,OutsideNew) tcp 99.140.211.194 23 192.168.20.1 23 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 25 192.168.20.1 25 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 80 192.168.20.1 80 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 110 192.168.20.1 110 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 143 192.168.20.1 143 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 3000 192.168.20.1 3000 netmask 255.255.255.255
static (inside,OutsideNew) tcp 99.140.211.194 3389 192.168.20.1 3389 netmask 255.255.255.255
static (inside,OutsideNew) udp 99.140.211.194 3389 192.168.20.1 3389 netmask 255.255.255.255


Then we add the port for the cam to the 192.168.20.90:

static (inside,OutsideNew) tcp 99.140.211.194 8081 192.168.20.90 8081 netmask 255.255.255.255

Finally, issue a clear xlate

That should do the trick.


And remember (as long as you don't commit to memory) if anything goes wrong, a reload will restore the previous config.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now