0

This is for a test lab setup:

landing server(192.168.49.26)---(.49.25/29)Cisco6500(.49.1/29)---(49.2)Cisco ASA(x.x.55.81)---External

The C6500 is the core of the test lab to which the "landing server" with IP Address 192.168.49.26 is connected. The interface to which this server is connected has the IP 192.168.49.25/29. I have 2 more L2 switches connected to the Cisco 6500 on 2 VLANs, namely VLAN 10 and 11 and some computers connected to those L2 switches. The communication between the devices connected to Cisco6500 works fine.

The Cisco ASA firewall (inside interface IP 192.168.49.2) is connected to an interface on the Cisco6500 whose IP Address is 192.168.49.1/29. Again, the rest of the devices connected to the Cisco 6500 is able to reach the inside interface of the Cisco ASA.

The outside interface of the Cisco ASA has the IP x.x.55.81. The requirement is that users from the outside should be able to reach 192.168.49.26 (server IP) when they RDP to x.x.55.81. Once they reach this landing server, users will telnet or SSH to other devices and servers for their testing.

I am unable to get ASDM work on my machine and so my only option is CLI. But what route, NAT, etc do I need and what commands do I use. Please help.

Bill the Lizard
  • 352
  • 1
  • 7
  • 15
DonThomasJacob
  • 3
  • 4
  • what asa version to you use? – user1008764 Sep 17 '12 at 17:33
  • It is Cisco ASA5540 with 7.0 IOS – DonThomasJacob Sep 17 '12 at 17:36
  • You are wanting to do port address translation, but we can't help you with the commands with the ASA software version number. You should try to learn it yourself though, Cisco has some good example configurations that show exactly what you want to do on their website. – Bad Dos Sep 17 '12 at 17:37
  • The users connect using the IP Address alone and no port numbers. Instead of the exact commands, can you tell me what needs to be done? Like, NAT from where to where, if static NAT is needed, etc. – DonThomasJacob Sep 17 '12 at 17:43

1 Answers1

1

ok you need free ip address from your offical net x.x.55.81. on the asa in global configuration mode (conf t) you had to create a static nat from inside to outside

static (inside,outside) x.x.55.81 192.168.49.26

after that you had to allow traffic to the server on the outside interface. with the commad 

show run access-group

you get the acl name bind to the outside interface. you can allow traffic on the acl in global configuration mode for RDP access

access-list ACL-Name permit tcp any host x.x.55.81 eq 3389

or for a specified host

access-list ACL-Name permit tcp host a.b.c.d host x.x.55.81 eq 3389

or net

access-list ACL-Name permit tcp netaddress subnetmask host x.x.55.81 eq 3389
user1008764
  • 1,176
  • 2
  • 8
  • 12
  • Thanks a lot. Let me try this in the lab now and come back to ask more doubts. I really appreciate your help and will come back to rate the answer. – DonThomasJacob Sep 17 '12 at 17:53
  • Ok. I set this as you said. I did not have any access-lists or groups and hence only the static NAT. For test, what I now have is the IP 192.168.55.81/24 on the outside interface to which a laptop is connected. The laptop IP is 192.168.55.82 with gateway as 55.81 I can ping the hosts and L2 switches on the 6500 from the ASA firewall console. I can also ping the laptop 192.168.55.82 connected to outside from the ASA console. But I still cannot ping any of the IP's on the cisco6500 from this laptop. – DonThomasJacob Sep 18 '12 at 10:18
  • you had to route vlan 10 and 11 on asa to inside route (inside) network subnetmask gateway i answered a question like yours in May. have a look at http://serverfault.com/questions/392730/cisco-asa-5505-voice-data-vlans-not-pinging-routing/392734#392734 if you have furthermore troubles to implement then please post the asa config here – user1008764 Sep 18 '12 at 12:40
  • Thanks a lot. Will get back to you after I do the experiments. – DonThomasJacob Sep 18 '12 at 13:55