Re: Outsde to inside

Sameer,
the ASA is not a router, so, no NAT=no connection.

You *MUST* to configure

A)"no nat-control" to avoid nat limitation. (TRY FIRST THAT ONE, IS THE
EASIEST WAY)

B) you need to configure something like a nat static translation
static (Inside,outside) 94.x.x.x 94.x.x.x. netmask 255.x.x.x

C)the following information attached below, who looks like your scenario:

hth

Robclav
robclavbcn.blogspot.com
www.kubsolutions.com

Configure Identity NAT

Identity NAT translates the real IP address to the same IP address. Only
"translated" hosts can create NAT translations, and responding traffic is
allowed back.

*Note:* If you change the NAT configuration, and you do not want to wait for
existing translations to time out before the new NAT information is used,
you use the *clear xlate* command in order to clear the translation table.
However, all current connections that use translations are disconnected when
you clear the translation table.

In order to configure identity NAT, enter this command:

hostname(config)#*nat (real_interface) 0 real_ip
         [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp
         udp_max_conns] *

For example, in order to use identity NAT for the inside
10.1.1.0/24network, enter this command:

hostname(config)#*nat (inside) 0 10.1.1.0
         255.255.255.0 *

2010/10/21 sameer inam <i_sameer_at_hotmail.com>

> Rob,
>
> thanks for advice but trust me I will be not fired i have manager approval
> ;-) .. please advice abt the current configuration please see below ,
>
>
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 94.xxx.xx.xx 255.255..xxx.xx
> !
> interface Vlan3
> nameif Outside
> security-level 0
> ip address 213.xxx.xx.xx 255.255.255.252
> !
> interface Ethernet0/0
> description Uplink to Etisalat
> switchport access vlan 3
> !
> interface Ethernet0/1
> description UPLINK TO DMVPN ROUTER
> !
> interface Ethernet0/2
> description uplink to DMVPN router
> !
> interface Ethernet0/3
> shutdown
> !
> interface Ethernet0/4
> shutdown
> !
> interface Ethernet0/5
> shutdown
> !
> interface Ethernet0/6
> shutdown
> !
> interface Ethernet0/7
> shutdown
> !
> ftp mode passive
> access-list INTERNET extended permit ip any any
> access-list INTERNET extended permit icmp any any
> access-list INTERNET extended permit tcp any eq www any
> access-list INTERNET extended permit tcp any any
> access-list INTERNET extended permit udp any any
> access-list INTERNET extended permit tcp any eq smtp any
> access-list INTERNET extended permit ospf any any
> access-list INTERNET extended permit udp any eq isakmp any
> access-list http-list2 extended permit tcp any any
> !
> tcp-map mss-map
> !
> pager lines 24
> mtu inside 1500
> mtu Outside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any Outside
> icmp permit 94.xxx.xx.xx. 255.xxx.x..xx.xx Outside
> no asdm history enable
> arp timeout 14400
> access-group INTERNET in interface Outside
> route Outside 0.0.0.0 0.0.0.0 213.xx.xx.xx. 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> timeout tcp-proxy-reassembly 0:01:00
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet 94.56.14.1 255.255.255.255 Outside
> telnet timeout 100
> ssh 94.xxx.xx.xx 255.xxx.xx.xx.xxx inside
> ssh 213.xxx.xxx..xx 255.255.255.255 Outside
> ssh timeout 5
> console timeout 0
>
> threat-detection basic-threat
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> username sameer password 433uZHvFIroCS/8n encrypted privilege 15
> username averda password U6zkTENXUzuFzRtZ encrypted privilege 15
> !
> class-map http-map1
> match access-list http-list2
> !
> !
> policy-map http-map
> class http-map1
> set connection advanced-options mss-map
> !
> service-policy http-map interface Outside
> prompt hostname context
> Cryptochecksum:65bd373c10e6d1021d5f4573fd74c67b
> : end
>
>
>
>
>
>
> ------------------------------
> From: robclav_at_gmail.com
> Date: Thu, 21 Oct 2010 13:56:50 +0200
> Subject: Re: Outsde to inside
> To: i_sameer_at_hotmail.com
> CC: ccielab_at_groupstudy.com
>
>
> Well Sameer, you can do it in several ways, for instance using a permit
> any, any.
>
> The easiest way:
> a)Allow non nated traffic from inside to outside(NO NAT-CONTROL privilege
> command at ASA CLI). And allow some traffic from outside reach your internal
> network. Used to be mandatory as older versions use nat to communicate any
> interface.
>
> B)Create a "identitary"nat proccess, from inside to outside. You "announce"
> the same ip address using nat outside to create the "PIPE" of nat proccess.
>
> If you are thinking to allow any traffic to your internal network you can
> do it, but after that start to apply to other positions because you will be
> fired from your actual job ;))
>
> Hth
> Robclav
> robclavbcn.blogspot.com
> www.kubsolutions.com
>
>
>
> 2010/10/21 sameer inam <i_sameer_at_hotmail.com>
>
> How do I allow my inside IP accessable from outside on ASA FW 5505 ? BTW my
> insde Ip is also Public Ip from ISP /29 subnet .please advice ?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 21 2010 - 14:19:07 ART