[c-nsp] NAT and PAT on ASA

Ryan West rwest at zyedge.com
Wed Jul 22 08:26:03 EDT 2009


Kirian, 

That looks like the default.  You had mentioned SIP in your ACL, so that's why I brought this up.  If you're doing PAT based sip, you may have to disable the SIP inspection, depending on who your SIP provider is.

Otherwise, you should be good to go.

-ryan

-----Original Message-----
From: Oddiraju, Kiran @ London SMC [mailto:Kiran.Oddiraju at cbre.com] 
Sent: Wednesday, July 22, 2009 7:25 AM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

Hi Ryan,

I have the below config in the protocol inspection rules, do you think
this is enough?

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!


Many thanks,
Kiran

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: 22 July 2009 09:47
To: Oddiraju, Kiran @ London SMC
Cc: cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

Kiran,

That's right.  If you run into issues trying to pass SIP through your
firewall, you may need to look at the default service policy.  There are
some protocol inspection rules enabled by default that might affect the
passing of SIP traffic.

-ryan

-----Original Message-----
From: Oddiraju, Kiran @ London SMC [mailto:Kiran.Oddiraju at cbre.com] 
Sent: Wednesday, July 22, 2009 4:38 AM
To: Ryan West
Cc: cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

Hey Ryan,

That seems to be working, thanks. So if I want to allow more ports we do
it the same way right?

access-list myaccesslist ext permit tcp any host 58.66.76.88 eq SIP
access-list myaccesslist ext permit upd any host 58.66.76.88 eq SIP

Thanks,
Kiran


-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: 21 July 2009 19:48
To: Oddiraju, Kiran @ London SMC; cisco-nsp at puck.nether.net
Subject: RE: NAT and PAT on ASA

static (inside,outside) 58.66.76.88 192.168.0.100
show run access-group
take note of the acl to the outside interface, ACLs are on the ASA are
inbound.
access-list <myaccesslist> ext permit icmp any host 58.66.76.88 echo
access-list <myaccesslist> ext permit tcp any host 58.66.76.88 eq www

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran
@ London SMC
Sent: Tuesday, July 21, 2009 2:09 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and PAT on ASA

Guys,

 

I am new to the ASA world, I have a bunch of external IP's from the ISP
and I have an inside host that I want to access externally. How do I
translate an inside ip (192.168.0.100) to an outside address
(58.66.76.88) on the ASA? I should be able to ping and www from outside
world to my inside host. Please let me know how to accomplish this.

 

Many thanks,

K


CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales
No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis 
Indirect Investment Services Limited which is authorised and regulated
by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information

which is confidential and may be privileged. If you are not the intended
recipient, 
please contact the sender immediately. Any use of its contents is
strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in
any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from
computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary 
companies and the recipient should carry out any appropriate virus
checks.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales
No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard
Ellis 
Indirect Investment Services Limited which is authorised and regulated
by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information

which is confidential and may be privileged. If you are not the intended
recipient, 
please contact the sender immediately. Any use of its contents is
strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in
any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from
computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its
associated/subsidiary 
companies and the recipient should carry out any appropriate virus
checks.


CB Richard Ellis Limited, Registered Office: St Martin's Court, 
10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. 
Regulated by the RICS and an appointed representative of CB Richard Ellis 
Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority.

This communication is from CB Richard Ellis Limited or one of its 
associated/subsidiary companies. This communication contains information 
which is confidential and may be privileged. If you are not the intended recipient, 
please contact the sender immediately. Any use of its contents is strictly prohibited 
and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. 
Reasonable care has been taken to ensure that this communication 
(and any attachments or hyperlinks contained within it) is free from computer viruses. 
No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary 
companies and the recipient should carry out any appropriate virus checks.




More information about the cisco-nsp mailing list