Question for you Cisco ASA/router experts out there

Andrew Hodgson

30 Jun 2008 30 Jun '08

4:34 p.m.

Hi all, I am trying to reconfigure my network so that it meets the following requirements: At present I have 2 sets of public IP addresses. I have a block of 2 addresses (/30), which is used for the inside address of the router, and the outside address of the firewall. I have another block of /28 (14 usable addresses), which is the inside of the firewall. There is no NAT. What I want to do is to get rid of the /30, and use one of the IP addresses in the /28 as the inside address of the Internet router, and then the firewall has the rest for the outside network. I will have an internal (inside) IP range of 192.168.1.x, and the firewall will NAT everything going out on that connection to the outside interface (using one IP address). I will have servers (specific IP addresses) on the inside network which I want natted to other static IP addresses on the outside network. There will be static NAT statements which do the same as port forwarding, but I want any connection that these machines make to come from specific external IP addresses. Here is my sketch configuration illustrating this. Will it work, or do I need to use policy NAT with ACLs? Thanks. Andrew. Router (Cisco 837) interface Ethernet0 ip address xx.xx.xx.209 255.255.255.240 interface Dialer0 ip address negotiated (receives WAN static) Firewall (ASA 5505) interface vlan2 nameif outside security-level 0 ip address xx.xx.xx.210 255.255.255.240 interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 global (outside) 1 interface global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240 nat (inside) 1 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the outside interface definition?) access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25 static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240 Thanks. Andrew.

Show replies by date

Sean Murphy

3 Jul 3 Jul

11:54 a.m.

New subject: Question for you Cisco ASA/router experts outthere

Andrew, I assume the external /30 public subnet has been assigned from your ISP. The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External public address. This has to be done and could cost. Configure the internal interface for the LAN as you want it. The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure this. You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained. Natting under Cisco isn't something I have done yet. Sean

Andrew Hodgson

1:35 p.m.

New subject: Question for you Cisco ASA/router experts outthere

Hi, I have corrected the config statements:

...

...
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25

Needs to be changed to:

...

...
access-list outside_access_in extended permit tcp any host xx.xx.xx.211 eq 25

Then have this:

...

...
static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240

The nat statements should just be this:

...

...
global (outside) 1 interface nat (inside) 1 0 0

The only thing I need to test is whether I need to have static statements to allow me to have NAT translations both ways - currently this is from the outside to inside, but I may need additional translations from the inside to the outside also. Thanks. Andrew. -----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 03 July 2008 12:55 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router experts outthere Andrew, I assume the external /30 public subnet has been assigned from your ISP. The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External public address. This has to be done and could cost. Configure the internal interface for the LAN as you want it. The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure this. You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained. Natting under Cisco isn't something I have done yet. Sean _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins -- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88. Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

Sean Murphy

9:45 p.m.

New subject: Question for you Cisco ASA/router expertsoutthere

Hi, How to handle the return traffic under NAT should be done by the router, not your config. Let me do some research and get back to you on the other questions. Sean ----- Original Message ----- From: "Andrew Hodgson" To: "blind-sysadmins" Sent: Thursday, July 03, 2008 11:35 PM Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere

...

Hi,

I have corrected the config statements:

...
...
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25

Needs to be changed to:

...
...
access-list outside_access_in extended permit tcp any host xx.xx.xx.211 eq 25

Then have this:

...
...
static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240

The nat statements should just be this:

...
...
global (outside) 1 interface nat (inside) 1 0 0

The only thing I need to test is whether I need to have static statements to allow me to have NAT translations both ways - currently this is from the outside to inside, but I may need additional translations from the inside to the outside also.

Thanks. Andrew.

-----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 03 July 2008 12:55 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router experts outthere

Andrew,

I assume the external /30 public subnet has been assigned from your ISP.

The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External

public address. This has to be done and could cost.

Configure the internal interface for the LAN as you want it.

The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure this. You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained.

Natting under Cisco isn't something I have done yet.

Sean

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

-- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net

This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

Sean Murphy

4 Jul 4 Jul

3:09 a.m.

New subject: Question for you Cisco ASA/router expertsoutthere

Andrew, It sounds you have enough knowledge of Cisco commands without me giving you the actual steps. So I shall provide you with general terms: DNAT (Destination Network Address Translation) External interface destination address plus port going to Internal interface address plus internal port. The server receiving the Natted traffic shall still have the source address of the sender. The default route should handle the return traffic and the router should perform the reverse NAT. What you posted looks fine to me and I do not think you require a reverse NAT rule. Sean ----- Original Message ----- From: "Andrew Hodgson" To: "blind-sysadmins" Sent: Thursday, July 03, 2008 11:35 PM Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere

...

Hi,

I have corrected the config statements:

...
...
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25

Needs to be changed to:

...
...
access-list outside_access_in extended permit tcp any host xx.xx.xx.211 eq 25

Then have this:

...
...
static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240

The nat statements should just be this:

...
...
global (outside) 1 interface nat (inside) 1 0 0

The only thing I need to test is whether I need to have static statements to allow me to have NAT translations both ways - currently this is from the outside to inside, but I may need additional translations from the inside to the outside also.

Thanks. Andrew.

-----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 03 July 2008 12:55 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router experts outthere

Andrew,

I assume the external /30 public subnet has been assigned from your ISP.

The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External

public address. This has to be done and could cost.

Configure the internal interface for the LAN as you want it.

The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure this. You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained.

Natting under Cisco isn't something I have done yet.

Sean

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

-- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net

This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

Andrew Hodgson

7:05 a.m.

New subject: Question for you Cisco ASA/router expertsoutthere

...

Hi,

I have corrected the config statements:

...
...
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25

Needs to be changed to:

...
...
access-list outside_access_in extended permit tcp any host xx.xx.xx.211 eq 25

Then have this:

...
...
static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240

The nat statements should just be this:

...
...
global (outside) 1 interface nat (inside) 1 0 0

The only thing I need to test is whether I need to have static statements to allow me to have NAT translations both ways - currently this is from the outside to inside, but I may need additional translations from the inside to the outside also.

Thanks. Andrew.

-----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 03 July 2008 12:55 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router experts outthere

Andrew,

I assume the external /30 public subnet has been assigned from your ISP.

The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External

public address. This has to be done and could cost.

Configure the internal interface for the LAN as you want it.

The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure

Hi, Another thing I realised after posting this was that in the NAT statements, all bits must be set in the subnet mask as we are addressing a single host. I will let you know how it goes after I do the work - won't be for a while though. Thanks. Andrew. -----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 04 July 2008 04:10 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere Andrew, It sounds you have enough knowledge of Cisco commands without me giving you the actual steps. So I shall provide you with general terms: DNAT (Destination Network Address Translation) External interface destination address plus port going to Internal interface address plus internal port. The server receiving the Natted traffic shall still have the source address of the sender. The default route should handle the return traffic and the router should perform the reverse NAT. What you posted looks fine to me and I do not think you require a reverse NAT rule. Sean ----- Original Message ----- From: "Andrew Hodgson" To: "blind-sysadmins" Sent: Thursday, July 03, 2008 11:35 PM Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere this.

...

You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained.

Natting under Cisco isn't something I have done yet.

Sean

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

-- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net

This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins -- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88. Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

Sean Murphy

7:36 a.m.

New subject: Question for you Cisco ASA/routerexpertsoutthere

Andrew, Go to this site for more ifnormation which explains it better and provides the information you are seeking. http://articles.techrepublic.com.com/5100-10878_11-1039094.html Sean ----- Original Message ----- From: "Andrew Hodgson" To: "blind-sysadmins" Sent: Friday, July 04, 2008 5:05 PM Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/routerexpertsoutthere

...

Hi,

Another thing I realised after posting this was that in the NAT statements, all bits must be set in the subnet mask as we are addressing a single host.

I will let you know how it goes after I do the work - won't be for a while though.

Thanks. Andrew.

-----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 04 July 2008 04:10 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere

Andrew,

It sounds you have enough knowledge of Cisco commands without me giving you the actual steps. So I shall provide you with general terms:

DNAT (Destination Network Address Translation) External interface destination address plus port going to Internal interface address plus internal port. The server receiving the Natted traffic shall still have the source address of the sender. The default route should handle the return traffic and the router should perform the reverse NAT.

What you posted looks fine to me and I do not think you require a reverse NAT rule.

Sean

----- Original Message ----- From: "Andrew Hodgson" To: "blind-sysadmins" Sent: Thursday, July 03, 2008 11:35 PM Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router expertsoutthere

...
Hi,

I have corrected the config statements:

...
...
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25

Needs to be changed to:

...
...
access-list outside_access_in extended permit tcp any host xx.xx.xx.211 eq 25

Then have this:

...
...
static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240

The nat statements should just be this:

...
...
global (outside) 1 interface nat (inside) 1 0 0

The only thing I need to test is whether I need to have static statements to allow me to have NAT translations both ways - currently this is from the outside to inside, but I may need additional translations from the inside to the outside also.

Thanks. Andrew.

-----Original Message----- From: Sean Murphy [mailto:mhysnm1964@gmail.com] Sent: 03 July 2008 12:55 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Question for you Cisco ASA/router experts outthere

Andrew,

I assume the external /30 public subnet has been assigned from your ISP.

The other /30 Public Address you own? If this is the case, then you can ask the ISP to route the current internal /30 Public subnet to your External

public address. This has to be done and could cost.

Configure the internal interface for the LAN as you want it.

The WAN (External) Interface should be configured for the current External Public IP Address. Cisco can have a secondary and third address. I need to verify this, but I don't think you would be required to configure this. You should have a static route which sends all traffic out your WAN port. So the correct route path is maintained.

Natting under Cisco isn't something I have done yet.

Sean

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

-- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net

This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

-- allpay.net Limited, Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, HR1 3SE. Registered in England No. 02933191. UK VAT Reg. No. 666 9148 88.

Telephone: 0870 243 3434, Fax: 0870 243 6041. Website: www.allpay.net Email: enquiries@allpay.net

This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify the allpay.net Information Security Manager at the number above.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/mailman/listinfo/blind-sysadmins

5918

Age (days ago)

5922

Last active (days ago)

List overview

Download

6 comments

3 participants

participants (3)

Andrew Hodgson
Andrew Hodgson
Sean Murphy