Allow traffic inside to outside

Hi
One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
Host IP on inside network - 172.16.30.15
Application to access - 74.219.x.x
Inside ACL name - inside-acl
cheers
Paul

I would apply this to the inside interface. Now, I have no idea what specific entries you have on
your inside access list, so I'll write it, as if it's a brand new configuration.
access-list inside_access_in permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 obect-group service Ports
access-list inside_access_in deny ip host 172.16.30.15 any
access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside
This will allow host 172.16.30.15 tcp access to 74.219.x.x on the specific ports, then all other IP traffic
will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else
is wide open outbound.

Similar Messages

ASA 5510 traffic from inside to outside

Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?

Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   141.0.x.0      255.255.255.0   OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
    identity NAT translation, pool 0
    translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

How to allow some fixed extension go in from outside to inside but not allow go from inside to outside

how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?

Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks

Controlling ASA outbound (inside to outside) traffic

Hello There,
I have been in trouble while controlling every traffic passing from inside to outside. We already have websnese integtared with ASA 5520. Please help me in providing the details on this
1. Traditional method by putting ACL on inside port (what things need to be blocked)
2. Any special/standard configuration of inside ACL
3. What other ways or methods are implemented.
Please help somebody..... :-)

What's is exactly what you want to do on the firewall with those Access-lists?
Here's a link that explains how to use Access-lists on an ASA.
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html

ASA5505 Can't pass traffic between inside (private) & outside (private)

10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
Goal:
10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other. Current config is any/any for troubleshooting.
Example:
10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails. Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
Question:
What am I doing wrong?
: Saved
ASA Version 8.2(5)
hostname SJ-HostB-ASA
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.15.50.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.60.15.253 255.255.255.252
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 30
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.15.50.243 source inside
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Hi,
You can only PING / ICMP an ASA interface from behind that same interface.
So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
You can also add the following configurations
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni

Internet Access from Inside to Outside ASA 5510 ver 9.1

Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
   inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
   destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
   subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
     translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

Hello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com

ASA 5505 unable to connect inside or outside

Hello,
I'm extremely new to router configurations, and am attempting to configure a backup ASA 5505 to use as a temporary access point in the event that our main ASA becomes unavailable. What I have done is loaded the running config from our main ASA onto the backup, and have made changes to necessary routes, IPs, etc. I can connect to it from a remote computer without problem, but I cannot access any of our servers, nor can I access the internet. I have also tried modifying the access list and NAT rules every which way from Sunday, but I still cannot get this thing to allow any information through. I keep getting "failed to locate egress interface for UDP from outside" errors.
We are using Cisco AnyConnect to connect , and mind you, since the config for this backup ASA was taken from our main, it still has the original certificate info and profiles. I was told that this wouldn't matter, but I thought I should mention in case I need to remove any of it from the config.
Here is part of the config file. I took out some information, but tried to keep it understandable. If anyone could point me in the right direction, it would be greatly appreciated!
ciscoasa# show running-config
: Saved
: Serial Number: xxxxxxxxxxx
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)
hostname ciscoasa
domain-name domain
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
ip local pool pool1 x.x.9.22-x.x.9.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address x.x.8.10 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.237 255.255.255.248
boot system disk0:/asa922-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group Default
name-server x.x.8.100
domain-name domain
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network pool1
subnet x.x.9.0 255.255.255.0
object network outside-network
host x.x.x.237
object network Remote-Network
subnet x.x.8.0 255.255.255.0
object network local
object network obj-x.x.9.24
host x.x.9.24
object-group network Outside-Network-Group
description Outside Network Group
network-object x.x.x.232 255.255.255.248
object-group network Inside-Network-Group
description Inside Network Group
network-object x.x.8.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list NONAT extended permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside x.x.8.132 2055
flow-export template timeout-rate 1
flow-export delay flow-create 50
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static pool1 pool1 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static Remote-Network Remote-Network no-proxy-arp route-lookup
nat (outside,outside) source dynamic pool1 interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.232 1
route inside x.x.11.0 255.255.255.0 x.x.11.1 1
If you have any questions, or need any other information, please let me know.
Thanks!

Am I posting this in the wrong section? Anyone?

Unable to allow traffic from remote office - Cisco RV220W

Hi there,
I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
This is the situation:
1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
2. IP range A office: 192.168.236.0/24
3. IP range B office: 192.168.237.0/24
4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
Thanks a lot for your help in advanced!
Eva

Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
-Tom
Please mark answered for helpful posts

NAT outside to inside and inside to outside (in 8.4(2) version)

Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.

Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia

Problem of routing between inside and outside on ASA5505

I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.

I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot

Set up a Foscam wireless webcam through BaseStation 7.71 inside and outside of my home network.

I bought a X10 wireless Security Camera last year and it took me months to figure out how to set it up to access the video both inside my home and through my iPhone remotely, even on my Mac at my office. I thought I would provide my process of getting this done to help those trying something similar. Yes the X10 camera works as a Foscam Camera. I am very happy with the result. The biggest challenge was Port Forwarding the Apple Basestation but now that I figured it out, it is easy.
"How I set up a Foscam wireless webcam through Apple Hardware and software to work inside and outside of my home network seemlessly."
What you need:
-Foscam or compatible camera, (iPad or iPhone or Mac or better all three)!
-Service Provider Router.
-Apple Base Station, Extreme or Express. 7.71
-'ip scanner' (software for Mac, app for iPad/iPhone.
-CCTV Camera pros port scanner app for iPhone.
First REMOTE ACCESS
Go to www.dyndns.org and set up an account. For about $20/yr you can have 30 host websites. Write down the user name and password as you will need it later.
You need this service to have a stable website to see your camera outside your network later as 'ip' addresses can change but this site will remain stable.
Then after you log back in, create a 'host website' from the menu. When you are creating the host site, dyndns will give you lots of web address choices or you can create your own. Just pick one. Also, you will need the 'ip' of the server where the camera will be. Luckily the dyndns website tells you this, just select it. Write down the web address, click create and you are done this part.
Next you need to set up the camera.
CAMERA SET UP
Using an Ethernet cable, connect your Apple Base Station to your web cam.
You will need to run 'ip scanner' to see the 'ip' address for the web cam. Write down the 'ip'. Select it, then select "open device in". Pick browser.
A web page will be launched and you are given 3 choices. I picked the middle, 'push browser'. You are then asked for the user name and password for the camera. By default the user is 'administrator' and there is no password. Just click log in. You now will see a menu along the left, at the bottom it should say 'device management'. Select that. Another page will show and there are several important things to do here.
1. Alias - give a name to the camera.
2. Set the time from a server.
3. Users - set a user and password. Write this down as you will need it.
4. Basic network. Either check to 'Obtain IP from DHCP Server' or specify an IP you want to stay the same. You need the subnet and main DNS server and the Gateway (same thing like 192.168.0.?or 10.0.0.? or 172.16.0.?)
Decide on a port you want use. Write this down. The camera will reboot, you will need to log in. In the browser enter IP then : the port#. Like 192.168.0.?:80 you will need the camera user name and password.
5. Wireless-scan for the nearby network list. Pick your network, enter your password, click submit. It will reboot.
6. UPnP-check to use.
7. DDNS Service (this allows remote viewing) pick DynDns.org
Enter your DynDns user name and password.
Enter the long DynDns Host website you wrote down. Click Submit. It will reboot.
APPLE Basestation set up
Run Airport Utility on Mac or iPad or iPhone.
Tap basestation, tap edit, tap advanced, tap Port Settings, tap 'new entry', in description enter a name, enter HTTP port number you picked when setting up the camera in all 4 spots: public and private UDP and TCP. Enter the IP address you picked in the camera setup. Click done and again until the Basestation updates.
Run the CCTV app, pick 'tools', pick 'Port forwarding Checker'. Enter the port you selected to see if it shows open then you are good. If not go back through the steps.
Set up Foscam App on the iPad and iPhone.
Run App, tap Add Camera,
Label- enter a name
User- Camera user name
Password- Camera
Local camera address-the IP address eg 192.168.0.?
Port- the one you specified.
If it connects you will see the chain turn green.
Remote address- the long one from DynDns.
Port- the one you specified.
If it connects you will see the chain turn green.
Tap done.
If everything is entered correctly it will all work.
Trouble shooting, make sure the IP address for the camera is listed correctly in the Apple Router. If it changes on the network, just go into the Airport Utility and update that. Also make sure the dyndns address is correctly listed in the Camera set up.
If questions, just let me know.

Ok.. you have to work out the way you are going to access the TC..
There are basically three methods..
1. Direct access using AFP.. you need a static public IP and the TC as the main internet router.. then you need to turn on internet access and password the hard disk. The college has to have port 548 open.
If you do not have a static public IP then you can use ddns service but there is no client in the TC.. so you will have to figure out a way to update the service.
2. Use BTMM with icloud. This is the Apple method. It actually uses vpn..(the vpn is locked to apple use only but it is not available to end user).. The requirements are 7.6.1 firmware and lion or ML on a Mac computer. I am not sure of the ports because the link to the Apple cloud is separate from the vpn to your home system.
3. VPN.. that means you need to bridge the TC and use a decent quality vpn modem / router or combo thereof.
VPN are not for the faint of heart.. it can take a lot of work to get running but offers the best security.. you will need to change the network equipment in your house more than likely.. using a pc / mac as a vpn server is possible.. but messy.
There are also easy ways to at least access the home computer.. teamviewer for example. This is likely blocked by the college though.
Double NAT is where you put a router on a private IP behind another router on a private IP.. that makes port forwarding close to impossible.

Best practices: formatting inside or outside EDDs ?

Hello all,
A discussion started elsewhere on whether or not formatting should be done inside the EDD. I think that discussion should be held here, as there will be more people who have experience with this on this forum than on the other non-public discussion site. Of course most of the participants in the discussion on the closed forum are on this forum as, well, so we can maybe continue our discussion with a larger group.
On this particular topic, there seem to be two completely opposite views, and I would like to hear from people on this forum what they feel about this.
On one side are those who state that formatting should be done completely in the EDD, as this takes the ability to mess up the formatting away from authors - who should not have any control over formatting as they should just deliver content. If formatting is put in their hands the compatibility with existing standards or earlier revision processes would be breached. One message mentioned an 'enforcable controllable environment' as the goal of working with structured Frame in the first place - if I am getting that point correctly (and of not, there will be reactions from the ones on this forum who belong to that camp).
The other side (which, according to the impression given on the non-public site, is a rare minitory viewpoint) is taking ALL formatting out of the EDD and allowing clients to do their own paragraph and character designer based formatting without having to edit the EDD. In this case, the client is not dependent on the person who created the EDD to change the font, text alignment, hyphenation etc. The EDD assigns paragraph format tags and the client can - if they want to - change those paragraph formats to suit their needs. I am a strong advocate of this position and have been using this strategy for my clients with a lot of success.
I do want to answer to the comments about control, just to clarify that the choice between formatting inside or outside the EDD is not the same as a choice between keeping full control or having no control whatsoever. Control or no control is another matter, in my opinion. I can easily see methods to make the paragraph and character designer unavailable in Frame for those who have no authority to make any changes to the company's style sheerts. This would leave those who are in control of the styling the option to define or redefine paragraph and character styles without having to bring in the expensive consultant who created the EDD for them. Changes to the EDD would for example be required to support another font for a Bulgarian translation.
Frankly, I do not want to make my clients dependent on my services just to change the font to Arial CYR if they happen to sell a machine to Bulgaria. Also, I don't want to build full support for all the formatting quirks my customers might ever need into an EDD that will become an almost unmanageable beast (and require expensive consultants to make any changes that do not bring the system to a screaching halt). My customers can create different templates, using different sets of fonts, paragraph formats, character formats and table formats, without ever changing the underlying structure that is defined by the EDD. It is their responsibility to define the look and feel of their documents, and it is mine to make sure the structure is correct. They pay me to build a structured authoring system, not to define their style guide. And if they do want me to create their style guide as well, I will create a template that contains all the required paragraph, character and table formats separate from the EDD. To ensure that their authors cannot mess around with the formatting I will even give them a little script that makes the designer pods go away and stay away. Plenty control, but not at the cost of putting the formatting in the EDD - where I do not think it belongs in the first place.
OK - that was my first round. Let's hear it from the others on this forum...
Kind regards from drizzly Amsterdam
Jang

Hi Jang,
Thanks for picking up this very interesting topic. Some years ago I switched my understanding of creating EDDs from using paragraph formats to using format change list without exception, wherever it’s possible and wise. One year ago I started a blog post on this topic http://www.practice-innovation.de/wiki/blogpost14 (sorry it’s in German).
Which approach is used always depends on what is your thinking of XML publishing and, of course, what’s the customer’s motivation of using structured FrameMaker. In my projects customers want to fix there layout with a specific style guide (perhaps it’s my responsibility ;-)). If there’s no style guide defined at the beginning of the project the EDD is it at its end.
So changes are only necessary in a continuous improvement process or if there are any faults in the EDD creation process. So if simple layout changes are necessary a template administrator can do it in the EDD in a more effective way, than with paragraph styles. If you want to change a font it’s solved in less than a minute, because there’s only one place to change it. With paragraph etc. styles you have to check and change each style, haven’t you? So depending on the amount of styles changing a font could take an hour or so. Don’t you think these people who are responsible for CI can’t learn changing simple layout with FCL within an hour or so? EDD is XML and it’s really easy on that level, assumed you use format change list without exception and do a little comment if necessary and not self-explanatory.
So is making templates changeable for customers a real factor for referencing paragraph styles? Are these the costs, if there are any changes in that way? In my projects it’s really rare a customer comes to me and asks “Please, could you change the font for me?” or “Please, the left indent of my lists should be increased to 10pt”. Most customers can do this if they want, because they got a small briefing, when they got the EDD and Templates. And if they can’t do that, should I create an invoice for 10 minutes of work? If they come with such things each day, something’s completly wrong.
When will customers come back to me, mainly? They come back with more complex scenarios. Scenarios which can’t be solved only by changing some styles. I.e. EDD should be enhanced for other document types, new content should be provided, structured and layouted, etc. And for this you often have to take a look at customer’s processes, what effects changing/enhancing publication process itself (perhaps). For this I think it is more important to have a compact EDD than having the possibility of an UI for changing styles. In my experiences an EDD based on FCL is 30% smaller than an EDD which references paragraph styles. And it’s easier to understand. This means easier ways of enhancing/changing EDDs and at the end less costs for customers.
Enhancing a font to “Arial CYR” (BTW: who uses this in our times ;-)) not only means changing fonts. It means changing processes, because there is a new language to handle, right?
That’s the approach XSL:FO goes of course. All is fixed in rules and styles. So why not using XSL:FO? User’s want to have the possibility to do some finishing, which can’t be done with EDD rules (or FO-Rules), and can be automated with scripts/plugins or could be done by hand (i.e. page breaks or things like “Page intentionally left blank” (see the other discussion running ;-)). And the other thing is (often but not always) creating FM XML publishing processes means less cost than creating FO processing.
At last: All depends on processes and what’s the motivation for customers using a structured (XML) environment. It’s not a matter of control or not control.It's a matter of EDD Design.
Bye
Markus

NAT (INSIDE To OUTSIDE)

I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz Wattoo

THIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz

I am writing a book and need to have the margins alternating left and right pages, so that there is sufficient margin for the binding. I have tried different inside and outside margins, the same inside and outside margins, facing pages, changing the maste

I am writing a book and need to have the margins alternating left and right pages, so that there is sufficient margin for the binding. I have tried different inside and outside margins, the same inside and outside margins, facing pages, changing the master, and I cannot get the margins to alternate at print time. The larger margin is always on the left. Can anyone please help me on this, as I have spent hours and lots of ink.

Set up as facing pages with a larger inside margin.

Change path inside and outside areas in vector mask

Hey all PS/CS lovers,
     That's probably an easy one, yet, being rather new to this, I have to ask.
     So I have this vector mask on a layer, and while singing along to the Beatles I'm editing paths on it. Well, all it is is a rectangle to reframe a photo, nothing crazy. But that rectangle is too big to my taste - so I just draw another, smaller one inside it and plan on deleting the first one.
     But ! The second, smaller rectangle is viewed as a takeout from the first one (so its inside is considered "black" mask-wise, i.e. cut out, and its outside is "white", i.e. kept in). Thus, when deleting the first, bigger one, the entirety of the picture appears, except for the part I want in the middle, that's cut out ! Yes - that's the opposite of what I want.
     Now, I tried using the path selection tool and changing the fill color of the rectangle, but you can't ... So, how do you invert inside and outside of a closed path ? Thanks in advance !
Charles

So, how do you invert inside and outside of a closed path ?
Select the Path with the Path Selection Tool and in the Options Bar change the Path Operations setting.

Allow traffic inside to outside

Similar Messages

Maybe you are looking for