Cisco ASA & NAT

Hello to all,

This is my first post to the forum so forgive me if my question has been already answered.

I have an asa 5510:

Ext if (outside) = 172.16.10.250/24
Int if (inside) = 192.168.1.1/24

there is a web server on my lan with ip address 192.168.1.2.

www server = 192.168.1.2/24

What i want to do is this :

I want to permit from specific clients to be able to access my www server through its real ip address (192.168.1.2) and for everyone else i want my www server to be accessible through the ip 172.16.10.251.

nat-control is not enabled on the ASA ( and i don't want to enable it since it separates different LAN networks)

I have tried with the below config but with no luck :

access-list twww extended permit ip host 192.168.1.2 host 172.16.10.248
access-list twww extended permit ip host 192.168.1.2 host 172.16.10.247

access-list tany extedend permit ip host 192.168.1.2 any

static(inside,outside) 192.168.1.2 access-list twww
static(inside,outside) 172.16.10.251 access-list tany

Help will be appreciated

Thanks.

Find more posts tagged with

Comments

M4verick

There's several ways you could probably go about achieving this. The quickest way I could think of would be to apply an access-list that first allows the specific IP addresses to access the server and the NAT'ed IP address, and leave it at the end to deny the rest of the traffic.

Then on your second access list that would be applied to the NAT, first deny those IP addresses you specified in your first access list, then allow all others. This would in effect only deny the specific IP addresses from being NAT'ed, not from reaching the destination.

So, setting up your lab, take the interface on the router for the 192.168.1.0/24 network and set that to nat outside, then the 172.16.10.0/24 network and nat inside.

Standard access list 1 -
permit 172.16.10.248
permit 172.16.10.247
permit 192.168.1.1

Standard access list 2 -
deny 172.16.10.248
deny 172.16.10.247
permit any

Apply Access List 1 outbound for the 192.168.1.0/24 interface.
Apply Access List 2 to the nat -
ip nat inside source list 2 interface '(type/number for 192.168.1.0/24 interface)' overload

h04x0r

Traffic flows like this :

CLIENTS-->(EXT-172.16.10.250)-ASA-
(INT-192.168.1.1)-->WEB_SERVER(192.168.1.2)

There is no router in place. I understand your configuration but it isn't what i want to do.

As i said in my 1st post i want specific clients (clients are located to 172.16.10.0/24 network) to be able access my web server through its REAL(192.168.1.2) ip address ONLY and anyone else (on the same subnet,172.16.10.0/24) should access my web server through 172.16.10.251 only.

I hope this makes sense.

Thanks.

Sirsamon

Hi,

Well i just started messing with ASA.

My issue was ASA behind a 1721 with PPPoA

anyways this site was great.

Sitemap | CiscoTips

also a book called,

Cisco ASA Configuration = publisher McGraw Hill.

and lets not pass the official guide on the Cisco web site.

h04x0r

M4verick wrote: »

There's several ways you could probably go about achieving this. The quickest way I could think of would be to apply an access-list that first allows the specific IP addresses to access the server and the NAT'ed IP address, and leave it at the end to deny the rest of the traffic.

Then on your second access list that would be applied to the NAT, first deny those IP addresses you specified in your first access list, then allow all others. This would in effect only deny the specific IP addresses from being NAT'ed, not from reaching the destination.

So, setting up your lab, take the interface on the router for the 192.168.1.0/24 network and set that to nat outside, then the 172.16.10.0/24 network and nat inside.

Standard access list 1 -
permit 172.16.10.248
permit 172.16.10.247
permit 192.168.1.1

Standard access list 2 -
deny 172.16.10.248
deny 172.16.10.247
permit any

Apply Access List 1 outbound for the 192.168.1.0/24 interface.
Apply Access List 2 to the nat -
ip nat inside source list 2 interface '(type/number for 192.168.1.0/24 interface)' overload

Thank you for your answer but your example doesn't apply for my scenario.

APA

you should just need

static (inside,outside) 172.16.10.251 192.168.1.2 netmask 255.255.255.255

This will nat traffic that is directed from the outside interface to 172.16.10.251 to 192.168.1.2.

then have explicit traffic rules to allow outside hosts to hit 172.16.10.251

Internal hosts shouldn't need any NAT rules.... as they seems to be on the same LAN segment from what you've provided? They can just access 192.168.1.2 as is.... if you want to lock it down then that's up to you I spose.