RE: Outsde to inside

I just want mention one more thing DMVPN router is connected behind the ASA ..
connected on inside interface 94.xxx.xx.xx/29 ASA and on router fas0/0 which
is also 94.xx.xx.xx/29 and NAT is on cisco router .
kind regards,
Sameer

From: robclav_at_gmail.com
Date: Thu, 21 Oct 2010 14:19:07 +0200
Subject: Re: Outsde to inside
To: i_sameer_at_hotmail.com
CC: ccielab_at_groupstudy.com

Sameer,the ASA is not a router, so, no NAT=no connection.

You MUST to configure

A)"no nat-control" to avoid nat limitation. (TRY FIRST THAT ONE, IS THE
EASIEST WAY)

B) you need to configure something like a nat static translationstatic
(Inside,outside) 94.x.x.x 94.x.x.x. netmask 255.x.x.x

C)the following information attached below, who looks like your scenario:

hth

Robclavrobclavbcn.blogspot.com

www.kubsolutions.com

Configure Identity NATIdentity NAT translates the real IP address to the same
IP address. Only "translated" hosts can create NAT translations, and
responding traffic is allowed back.

Note: If you change the NAT configuration, and you do not want to wait for
existing translations to time out before the new NAT information is used, you
use the clear xlate command in order to clear the translation table. However,
all current connections that use translations are disconnected when you clear
the translation table.

In order to configure identity NAT, enter this command:hostname(config)#nat
(real_interface) 0 real_ip
         [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp
         udp_max_conns]
For example, in order to use identity NAT for the inside 10.1.1.0/24 network,
enter this command:hostname(config)#nat (inside) 0 10.1.1.0
         255.255.255.0

2010/10/21 sameer inam <i_sameer_at_hotmail.com>

Rob,
thanks for advice but trust me I will be not fired i have manager approval
;-) .. please advice abt the current configuration please see below ,

!interface Vlan1

 nameif inside security-level 100 ip address 94.xxx.xx.xx
255.255..xxx.xx!interface Vlan3 nameif Outside security-level 0 ip address
213.xxx.xx.xx 255.255.255.252

!interface Ethernet0/0 description Uplink to Etisalat switchport access vlan
3!interface Ethernet0/1 description UPLINK TO DMVPN ROUTER!

interface Ethernet0/2 description uplink to DMVPN router!interface Ethernet0/3
shutdown!interface Ethernet0/4 shutdown!

interface Ethernet0/5 shutdown!interface Ethernet0/6 shutdown!interface
Ethernet0/7 shutdown!ftp mode passiveaccess-list INTERNET extended permit ip
any any

access-list INTERNET extended permit icmp any anyaccess-list INTERNET extended
permit tcp any eq www anyaccess-list INTERNET extended permit tcp any
anyaccess-list INTERNET extended permit udp any any

access-list INTERNET extended permit tcp any eq smtp anyaccess-list INTERNET
extended permit ospf any anyaccess-list INTERNET extended permit udp any eq
isakmp anyaccess-list http-list2 extended permit tcp any any

!tcp-map mss-map!pager lines 24mtu inside 1500mtu Outside 1500no failovericmp
unreachable rate-limit 1 burst-size 1icmp permit any inside

icmp permit any Outsideicmp permit 94.xxx.xx.xx. 255.xxx.x..xx.xx Outsideno
asdm history enablearp timeout 14400access-group INTERNET in interface
Outsideroute Outside 0.0.0.0 0.0.0.0 213.xx.xx.xx. 1

timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout
tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyno
snmp-server locationno snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto
ipsec security-association lifetime seconds 28800crypto ipsec
security-association lifetime kilobytes 4608000

telnet 94.56.14.1 255.255.255.255 Outsidetelnet timeout 100ssh 94.xxx.xx.xx
255.xxx.xx.xx.xxx insidessh 213.xxx.xxx..xx 255.255.255.255 Outsidessh timeout
5console timeout 0

threat-detection basic-threatthreat-detection statistics access-listno
threat-detection statistics tcp-interceptusername sameer password
433uZHvFIroCS/8n encrypted privilege 15

username averda password U6zkTENXUzuFzRtZ encrypted privilege 15!class-map
http-map1 match access-list http-list2!!policy-map http-map class http-map1

  set connection advanced-options mss-map!service-policy http-map interface
Outsideprompt hostname contextCryptochecksum:65bd373c10e6d1021d5f4573fd74c67b:
end

From: robclav_at_gmail.com
Date: Thu, 21 Oct 2010 13:56:50 +0200
Subject: Re: Outsde to inside

To: i_sameer_at_hotmail.com
CC: ccielab_at_groupstudy.com

Well Sameer, you can do it in several ways, for instance using a permit any,
any.

The easiest way:a)Allow non nated traffic from inside to outside(NO
NAT-CONTROL privilege command at ASA CLI). And allow some traffic from outside
reach your internal network. Used to be mandatory as older versions use nat to
communicate any interface.

B)Create a "identitary"nat proccess, from inside to outside. You "announce"
the same ip address using nat outside to create the "PIPE" of nat proccess.

If you are thinking to allow any traffic to your internal network you can do
it, but after that start to apply to other positions because you will be fired
from your actual job ;))
Hth

Robclavrobclavbcn.blogspot.comwww.kubsolutions.com

2010/10/21 sameer inam <i_sameer_at_hotmail.com>

How do I allow my inside IP accessable from outside on ASA FW 5505 ? BTW my

insde Ip is also Public Ip from ISP /29 subnet .please advice ?

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 21 2010 - 12:23:09 ART