Allowing inside traffic to outside on ASA 5505

cisco-asanetworkingrouting

We have an ASA 5505 with an inside interface 10.22.33.0/24 and outside x.x.x.x/26. The inside ip's are obviously private and the outside ip's are public.

I've been able to set up a nat rule to route all requests to one of the public addresses to server1 with a private address 10.22.33.5. By adding this rule it allows server1 to get out to the internet too which is handy. So far so good.

What I'm struggling to do is to allow all inside ip's to get out to the internet. Does anyone know how I can achieve this?

Best Answer

If using the Cisco ASDM, you have an option to use the "Startup Wizard" while retaining your current configuration.

From the main ASDM window, select "Wizards" and "Startup Wizard..."

Choose "Modify existing configuration"... enter image description here

Step through the screens until you get to "Address Translation" page. For your setup, you want to use Port Address Translation (PAT). Use the firewall's outside interface IP. That means that all traffic not explicitly given a static NAT mapping (like your server) will be sourced out of the firewall's outside interface IP. You may need to delete your existing NAT rule before this will work. Re-add it after running the wizard.

Also see this tutorial.

Related Solutions

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
Enable PPTP inspection
- Explicit ACL permit for GRE is not necessary

If client is behind ASA

Enable PPTP inspection

Server example

ASA outside interface IP 1.1.1.2/30
Server inside IP 10.0.0.10/24
Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.

Cisco ASA Redirect all traffic from specific outside hosts to specific inside host

Turns out the Answer to this was to simply create a NAT Rule that forwarded all traffic to my pbx from the outside, ACL would block any unwanted traffic, then any other services i provide on the outside simply have a static rule that point to them for example web services.

Best Answer

Related Solutions

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

Cisco ASA Redirect all traffic from specific outside hosts to specific inside host

Related Topic