- Posts: 2
- Thank you received: 0
Static NAT problem?
- whiskytangofoxtrot
- Topic Author
- Offline
- New Member
Less
More
14 years 6 months ago #34546
by whiskytangofoxtrot
Static NAT problem? was created by whiskytangofoxtrot
Hi this is my first post, I found this forum while looking for more info on Cisco Firewalls.
I am working with a new ASA 5505, without the enhancements, no DMZ. I have the "outside" VLAN2 directly connected to our fiber connection, and the "inside" VLAN1 connected to our switch.
I have two addresses set up for static NAT, one being our mail server, the other being a web server. When the 5505 is plugged in, the users can get out to the internet, but no traffic comes in to our mail server, or web server from the outside. Also there is no communication from internet Outlook clients to the mail server.
I currently have a Checkpoint firewall in place with NAT rule for both servers, and it works fine. However Cisco firewalls are new to me and I'm not sure what I'm doing wrong.
Here is a sample of my config if anyone can help me out.
83.250.152.153 is my ISP's connection to us
83.250.152.154 is the outside of the 5505
83.250.152.155 is the intended outside of the mail server
83.250.152.156 is the intended outside of the web server
Thanks,
B
name 192.168.1.7 Active01 description DC, DNS #1
name 192.168.1.8 Active02 description DC, DNS #2
name 192.168.1.0 Inside_LAN description Local
name 83.250.152.152 Outside description Fiber link
name 192.168.1.4 Exchange1 description Mail Server SMTP,HTTP,HTTPS
name 192.168.1.16 WEBSRVR1 description WEB Server #1 HTTPS
name 83.250.152.156 WEB_Gateway description WEB Server WAN IP
name 83.250.152.155 Mail_Gateway description eMail WAN IP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.250.152.154 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name plaspscc.net
object-group network DNS_Servers
network-object host ADC01
network-object host ADC02
object-group service Web_Services tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
access-list outside_in remark Network ICMP Ping reply inbound
access-list outside_in extended permit icmp any host WEBSRVR1 echo
access-list outside_in remark WEB Server Gateway RDP over HTTPs
access-list outside_in extended permit tcp any host Web_Gateway eq https
access-list outside_in remark OWA
access-list outside_in extended permit tcp any host Mail_Gateway object-group We
b_Services
access-list outside_in remark Inbound eMail
access-list outside_in extended permit tcp any host Mail_Gateway eq smtp
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_1
eq https inactive
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp Inside_LAN 255.255.255.0 any ob
ject-group Web_Services
access-list outbound remark Common Inernet Traffic
access-list outbound extended permit tcp Inside_LAN 255.255.255.0 any object-gro
up Web_Services
access-list outbound extended permit tcp host EXCHANGE1 any eq smtp
access-list outbound remark NTP Time Sync
access-list outbound extended permit udp object-group DNS_Servers any eq ntp
access-list outbound remark DNS Traffic
access-list outbound extended permit object-group TCPUDP Inside_LAN 255.255.255.
0 any eq domain
access-list outbound remark AD Server Lock down
access-list outbound extended deny ip object-group DNS_Servers any
urs
access-list outbound remark Network ICMP Ping outbound
access-list outbound extended permit icmp Inside_LAN 255.255.255.0 any echo
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.
128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_HO 192.168.2.20-192.168.2.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location EXCHANGE1 255.255.255.255 inside
asdm location Active01 255.255.255.255 inside
asdm location Active02 255.255.255.255 inside
asdm location WEBSRVR1 255.255.255.255 inside
asdm location Mail_Gateway 255.255.255.255 inside
asdm location NCO 255.255.255.255 inside
asdm location NC 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
static (inside,outside) Mail_Gateway EXCHANGE1 netmask 255.255.255.255
access-group outbound in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.250.152.153 1
I am working with a new ASA 5505, without the enhancements, no DMZ. I have the "outside" VLAN2 directly connected to our fiber connection, and the "inside" VLAN1 connected to our switch.
I have two addresses set up for static NAT, one being our mail server, the other being a web server. When the 5505 is plugged in, the users can get out to the internet, but no traffic comes in to our mail server, or web server from the outside. Also there is no communication from internet Outlook clients to the mail server.
I currently have a Checkpoint firewall in place with NAT rule for both servers, and it works fine. However Cisco firewalls are new to me and I'm not sure what I'm doing wrong.
Here is a sample of my config if anyone can help me out.
83.250.152.153 is my ISP's connection to us
83.250.152.154 is the outside of the 5505
83.250.152.155 is the intended outside of the mail server
83.250.152.156 is the intended outside of the web server
Thanks,
B
name 192.168.1.7 Active01 description DC, DNS #1
name 192.168.1.8 Active02 description DC, DNS #2
name 192.168.1.0 Inside_LAN description Local
name 83.250.152.152 Outside description Fiber link
name 192.168.1.4 Exchange1 description Mail Server SMTP,HTTP,HTTPS
name 192.168.1.16 WEBSRVR1 description WEB Server #1 HTTPS
name 83.250.152.156 WEB_Gateway description WEB Server WAN IP
name 83.250.152.155 Mail_Gateway description eMail WAN IP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.250.152.154 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name plaspscc.net
object-group network DNS_Servers
network-object host ADC01
network-object host ADC02
object-group service Web_Services tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
access-list outside_in remark Network ICMP Ping reply inbound
access-list outside_in extended permit icmp any host WEBSRVR1 echo
access-list outside_in remark WEB Server Gateway RDP over HTTPs
access-list outside_in extended permit tcp any host Web_Gateway eq https
access-list outside_in remark OWA
access-list outside_in extended permit tcp any host Mail_Gateway object-group We
b_Services
access-list outside_in remark Inbound eMail
access-list outside_in extended permit tcp any host Mail_Gateway eq smtp
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_1
eq https inactive
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp Inside_LAN 255.255.255.0 any ob
ject-group Web_Services
access-list outbound remark Common Inernet Traffic
access-list outbound extended permit tcp Inside_LAN 255.255.255.0 any object-gro
up Web_Services
access-list outbound extended permit tcp host EXCHANGE1 any eq smtp
access-list outbound remark NTP Time Sync
access-list outbound extended permit udp object-group DNS_Servers any eq ntp
access-list outbound remark DNS Traffic
access-list outbound extended permit object-group TCPUDP Inside_LAN 255.255.255.
0 any eq domain
access-list outbound remark AD Server Lock down
access-list outbound extended deny ip object-group DNS_Servers any
urs
access-list outbound remark Network ICMP Ping outbound
access-list outbound extended permit icmp Inside_LAN 255.255.255.0 any echo
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.
128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_HO 192.168.2.20-192.168.2.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location EXCHANGE1 255.255.255.255 inside
asdm location Active01 255.255.255.255 inside
asdm location Active02 255.255.255.255 inside
asdm location WEBSRVR1 255.255.255.255 inside
asdm location Mail_Gateway 255.255.255.255 inside
asdm location NCO 255.255.255.255 inside
asdm location NC 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
static (inside,outside) Mail_Gateway EXCHANGE1 netmask 255.255.255.255
access-group outbound in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.250.152.153 1
- whiskytangofoxtrot
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
14 years 6 months ago #34558
by whiskytangofoxtrot
Replied by whiskytangofoxtrot on topic Re: Static NAT problem?
anyone? Or is the wrong place to post this?
14 years 6 months ago #34564
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: Static NAT problem?
Hey WTF (yes WhiskyTangoFoxtrot ),
Try this:
[code:1]
no static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
no static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
!
static (inside,outside) Web_Gateway WEBSRVR1
[/code:1]
You turned around the inside and outside comments on the 1st 2 lines. The 3rd line is correct but wont work because the incorrect 1st line stands above it which will match 1st.
Let me know if it works ^^
Try this:
[code:1]
no static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
no static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
!
static (inside,outside) Web_Gateway WEBSRVR1
[/code:1]
You turned around the inside and outside comments on the 1st 2 lines. The 3rd line is correct but wont work because the incorrect 1st line stands above it which will match 1st.
Let me know if it works ^^
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.116 seconds