Cisco ASA 5540 NAT Configuration – Outside to Inside Traffic

cisco-asanat;static-routes

This is for a test lab setup:

landing server(192.168.49.26)—(.49.25/29)Cisco6500(.49.1/29)—(49.2)Cisco ASA(x.x.55.81)—External

The C6500 is the core of the test lab to which the "landing server" with IP Address 192.168.49.26 is connected. The interface to which this server is connected has the IP 192.168.49.25/29. I have 2 more L2 switches connected to the Cisco 6500 on 2 VLANs, namely VLAN 10 and 11 and some computers connected to those L2 switches. The communication between the devices connected to Cisco6500 works fine.

The Cisco ASA firewall (inside interface IP 192.168.49.2) is connected to an interface on the Cisco6500 whose IP Address is 192.168.49.1/29. Again, the rest of the devices connected to the Cisco 6500 is able to reach the inside interface of the Cisco ASA.

The outside interface of the Cisco ASA has the IP x.x.55.81. The requirement is that users from the outside should be able to reach 192.168.49.26 (server IP) when they RDP to x.x.55.81. Once they reach this landing server, users will telnet or SSH to other devices and servers for their testing.

I am unable to get ASDM work on my machine and so my only option is CLI. But what route, NAT, etc do I need and what commands do I use. Please help.

Best Answer

ok you need free ip address from your offical net x.x.55.81. on the asa in global configuration mode (conf t) you had to create a static nat from inside to outside

static (inside,outside) x.x.55.81 192.168.49.26

after that you had to allow traffic to the server on the outside interface. with the commad

show run access-group

you get the acl name bind to the outside interface. you can allow traffic on the acl in global configuration mode for RDP access

access-list ACL-Name permit tcp any host x.x.55.81 eq 3389

or for a specified host

access-list ACL-Name permit tcp host a.b.c.d host x.x.55.81 eq 3389

or net

access-list ACL-Name permit tcp netaddress subnetmask host x.x.55.81 eq 3389

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

The stock ASA configuration does not include support for PPTP passthrough by default -- crazy as to why. Cisco TAC likely gets a handful of cases related to this...

There are at most three things required to get PPTP working through an ASA

If server is behind ASA

Configure necessary NAT/PAT if using NAT/PAT (Optional but usually required)
ACL permit TCP/1723 to server/IP (whether real, mapped, or interface depends on ASA version)
Enable PPTP inspection
- Explicit ACL permit for GRE is not necessary

If client is behind ASA

Enable PPTP inspection

Server example

ASA outside interface IP 1.1.1.2/30
Server inside IP 10.0.0.10/24
Static PAT (port forwarding) TCP/1723 using ASA outside interface IP

ASA 8.3 and newer (with focus on objects)

object network hst-10.0.0.10
 description Server
 host 10.0.0.10
object network hst-10.0.0.10-tcp1723
 description Server TCP/1723 Static PAT Object
 host 10.0.0.10
 nat (inside,outside) static interface service tcp 1723 1723

object-group service svcgrp-10.0.0.10 tcp
 port-object eq 1723

access-list outside_access_in extended permit tcp any object hst-10.0.0.10 object-group svcgrp-10.0.0.10-tcp
access-group outside_access_in in interface outside

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

ASA 8.2 and prior

access-list outside_access_in extended permit tcp any interface outside eq 1723

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 1723 10.0.0.10 1723 netmask 255.255.255.255

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

Client example

Valid for all ASA OS versions

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect pptp

service-policy global_policy global

If these examples don't fit your scenario post your specifics and we can customize a config for you.

Best Answer

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Nat – PPTP pass through on Cisco ASA 5505 (8.2)

Related Topic