Cisco ASA & NAT
Hello to all,
This is my first post to the forum so forgive me if my question has been already answered.
I have an asa 5510:
Ext if (outside) = 172.16.10.250/24
Int if (inside) = 192.168.1.1/24
there is a web server on my lan with ip address 192.168.1.2.
www server = 192.168.1.2/24
What i want to do is this :
I want to permit from specific clients to be able to access my www server through its real ip address (192.168.1.2) and for everyone else i want my www server to be accessible through the ip 172.16.10.251.
nat-control is not enabled on the ASA ( and i don't want to enable it since it separates different LAN networks)
I have tried with the below config but with no luck :
access-list twww extended permit ip host 192.168.1.2 host 172.16.10.248
access-list twww extended permit ip host 192.168.1.2 host 172.16.10.247
access-list tany extedend permit ip host 192.168.1.2 any
static(inside,outside) 192.168.1.2 access-list twww
static(inside,outside) 172.16.10.251 access-list tany
Help will be appreciated
Thanks.
This is my first post to the forum so forgive me if my question has been already answered.
I have an asa 5510:
Ext if (outside) = 172.16.10.250/24
Int if (inside) = 192.168.1.1/24
there is a web server on my lan with ip address 192.168.1.2.
www server = 192.168.1.2/24
What i want to do is this :
I want to permit from specific clients to be able to access my www server through its real ip address (192.168.1.2) and for everyone else i want my www server to be accessible through the ip 172.16.10.251.
nat-control is not enabled on the ASA ( and i don't want to enable it since it separates different LAN networks)
I have tried with the below config but with no luck :
access-list twww extended permit ip host 192.168.1.2 host 172.16.10.248
access-list twww extended permit ip host 192.168.1.2 host 172.16.10.247
access-list tany extedend permit ip host 192.168.1.2 any
static(inside,outside) 192.168.1.2 access-list twww
static(inside,outside) 172.16.10.251 access-list tany
Help will be appreciated
Thanks.
Comments
-
M4verick Member Posts: 86 ■■□□□□□□□□There's several ways you could probably go about achieving this. The quickest way I could think of would be to apply an access-list that first allows the specific IP addresses to access the server and the NAT'ed IP address, and leave it at the end to deny the rest of the traffic.
Then on your second access list that would be applied to the NAT, first deny those IP addresses you specified in your first access list, then allow all others. This would in effect only deny the specific IP addresses from being NAT'ed, not from reaching the destination.
So, setting up your lab, take the interface on the router for the 192.168.1.0/24 network and set that to nat outside, then the 172.16.10.0/24 network and nat inside.
Standard access list 1 -
permit 172.16.10.248
permit 172.16.10.247
permit 192.168.1.1
Standard access list 2 -
deny 172.16.10.248
deny 172.16.10.247
permit any
Apply Access List 1 outbound for the 192.168.1.0/24 interface.
Apply Access List 2 to the nat -
ip nat inside source list 2 interface '(type/number for 192.168.1.0/24 interface)' overloadIsn't it funny how after you have the certifications, you don't care about sharing them as much? -
h04x0r Member Posts: 3 ■□□□□□□□□□Traffic flows like this :
CLIENTS-->(EXT-172.16.10.250)-ASA-
(INT-192.168.1.1)-->WEB_SERVER(192.168.1.2)
There is no router in place. I understand your configuration but it isn't what i want to do.
As i said in my 1st post i want specific clients (clients are located to 172.16.10.0/24 network) to be able access my web server through its REAL(192.168.1.2) ip address ONLY and anyone else (on the same subnet,172.16.10.0/24) should access my web server through 172.16.10.251 only.
I hope this makes sense.
Thanks. -
Sirsamon Member Posts: 221Hi,
Well i just started messing with ASA.
My issue was ASA behind a 1721 with PPPoA
anyways this site was great.
Sitemap | CiscoTips
also a book called,
Cisco ASA Configuration = publisher McGraw Hill.
and lets not pass the official guide on the Cisco web site. -
h04x0r Member Posts: 3 ■□□□□□□□□□There's several ways you could probably go about achieving this. The quickest way I could think of would be to apply an access-list that first allows the specific IP addresses to access the server and the NAT'ed IP address, and leave it at the end to deny the rest of the traffic.
Then on your second access list that would be applied to the NAT, first deny those IP addresses you specified in your first access list, then allow all others. This would in effect only deny the specific IP addresses from being NAT'ed, not from reaching the destination.
So, setting up your lab, take the interface on the router for the 192.168.1.0/24 network and set that to nat outside, then the 172.16.10.0/24 network and nat inside.
Standard access list 1 -
permit 172.16.10.248
permit 172.16.10.247
permit 192.168.1.1
Standard access list 2 -
deny 172.16.10.248
deny 172.16.10.247
permit any
Apply Access List 1 outbound for the 192.168.1.0/24 interface.
Apply Access List 2 to the nat -
ip nat inside source list 2 interface '(type/number for 192.168.1.0/24 interface)' overload
Thank you for your answer but your example doesn't apply for my scenario. -
APA Member Posts: 959you should just need
static (inside,outside) 172.16.10.251 192.168.1.2 netmask 255.255.255.255
This will nat traffic that is directed from the outside interface to 172.16.10.251 to 192.168.1.2.
then have explicit traffic rules to allow outside hosts to hit 172.16.10.251
Internal hosts shouldn't need any NAT rules.... as they seems to be on the same LAN segment from what you've provided? They can just access 192.168.1.2 as is.... if you want to lock it down then that's up to you I spose.
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP