How to route traffic to a static public IP address on my private network

Here is my topology:
ISP Modem ---------------- (gig0/0) Cisco Router (gig0/1) -----------------Cisco Switch--------------------Server
60.70.80.90 172.16.0.1 172.16.0.2 60.70.80.91
Gateway: 60.70.80.89
Netmask: 255.255.255.240
Scenario:
My ISP has given me 5 static IP addresses in which I want to assign one of them to one of my servers that lies within my private network. I am wondering what kind of configurations I would need to be able to access my server from outside my private network using one of the static IP addresses that was given from my ISP. Does this need some sort of static NAT on top of the inside/outside NAT I have done on my router? Thanks
Best Regards,
Sean

Duplicate post.
Go HERE.

Similar Messages

RV220W with BT Infinity and Static Public IP address

I've recently had BT Infinity installed with 5 static Public IP addresses.
Needless to say, the supplied BT Hub isn't really up to business standards - so it's been replaced with an RV220W router.
The router connects (via the supplied BT Openreach modem) via PPPoE and is allocated a dynamic IP Address.
Using one2one NAT I've tested that our static public ip addresses are reaching the router.
the RV220W router will be acting as a VPN endpoint as well as passing through certain services to servers.
I can configure the services to pass through using one2one NAT and individual static IP addresses, but the router doesn't use one of the static IP addresses for it's own - so I can't seem use a static IP address for the VPN endpoints.
Help please!

Fixed ...
After a bit of fiddling around (reading out of date manuals! Cisco can't you at least update your manuals!)
The answer is in Firewall -> Access Rules
Add rule
Connection Type - Inbound WAN > LAN
Action - Always Allow
Service - Any
Source IP - Any
Send to Local Server (DNAT IP) -
Use Other WAN (Internet) Address - Enable
WAN (Internet) Destination IP -
It's also possible to fix the outbound IP address using rules:
Connection Type - Outbound Lan > WAN
Action - Always Allow (or you can schedule it)
Service - Any (or you can allow specific services)
Source IP - Any
Destination IP - Any
Use this SNAT IP Address - Enable
SNAT IP -

How to route traffic across subnets when one NIC is a hyper-V virtual switch?

Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
Situation is:
Hyper-V server with two NICs
NIC 1 = 192.168.0/24 - main Internal company network.
NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
Virtualized Domain Controller.
One or two virtualiszed NICs as necessary
How then does traffic get routed between these two subnets? If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
Thanks,

Hi ,
You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
After you enable RRAS in hyper-v host there will be two gateways for different subnets .
" NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
The problem is here ,if these VMs need to access internet .
So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
Please refer to the Syntax :
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

How to configure an ASA with 2 Public IP address.

Hi, I have to configure a router ASA 5505 with 2 Publics IP, our ISP give us a 3 Public IP, and actually our configuration is like this:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 200.91.x.x 255.255.255.248
The problem is: If I create a new Vlan, the interface overlaps.
How can I solve that problem??
Thanks for your answers!!!

Answered in duplicate post:
https://supportforums.cisco.com/discussion/12150111/how-configure-asa-2-public-ip-address

How to configure ASA5512X DMZ with a Public IP address?

Hi;
I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x. I am thinking to give them the interface mac address of interface #3, however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.

1 server, 2 networks how to route traffic to both

Hi i have NW65SP7
what i'm trying to do is
1. to have users come in thru the data network (192.168.0.0) and the traffic
go back out thru the default gateway (192.168.0.1) and
2. i want LDAP traffic to go in thru the other network (10.1.0.0) and
backout thru the same networks gateway (10.1.0.1).
1. works fine and all seems to go up and down the right network, however 2.
comes down 10.1.0.0 and backout thru the default gateway on 192.168.0.1. I
don't\can't have this as the firewall rejects the packet as the source and
destination networks are different ie. the fw sees the packet come in thru
10.1.0.0 but when the server sends it back out thru 192.168.0.0 the firewall
rightly drops it
How do i get 2. to work as i want, can this even be done on NW.
What i've done so far is
a. enabled Static Routing
b. created a default route (192.168.0.1) with a metric of 2
c. created a network route for 10.1.0.0 (10.1.0.1) with a metric of 1

"Thorsten Kampe" <[email protected]> wrote in message
news:[email protected]...
>* Steven Lim (Mon, 08 Dec 2008 01:57:27 GMT)>
>> ok i'll try again but i thought that i did expalin it so i'm not sure how
>> my
>> second attempt will go ;)
>
> Is the NetWare server the router? Which addresses do the server's
> interfaces have? Which default gateway do the hosts in the network have?
> Any static routes?
No the netware server is not the router
The server has 1 interface but two vlans trunked to the one interface, each
vlan has a separate IP. I can ping each IP on each of the trunked vlans
fine. I'm using Broadcom Q57 NICS and the QASP\BASP advanced driver to
support the trunked vlans. Don't let that confuse the issue though..it's
basically the same as having two nic interfaces connected to two seperate
networks in this case lets say 192.168.0.10 and 10.0.0.10
Just so we're on the same page, we have a very large routed network with
over 250 subnetworks with 4 10G interconnected core routers each with a 10G
distribution routers, buildings\user\server networks hang of the
distribution routers . Client machines are distributed accross the network
and are not on the same vlan\subnet as the servers.
A server on 192.168.0.0 will have a default gateway of 192.168.0.1 and
servers on 10.0.0.0 will have a default gateway of 10.0.0.1 there are no
clients machines on these subnets....btw we don't really have a 192.168.0.0
network..i'm just using this as an example.
The NW server has 1 static route configured as the default gateway on
192.168.0.1...and i've been trying to work out how to configure another
static route to make sure that all incoming and outgoing traffic for
10.0.0.0 stays on 10.0.0.0 or whatever else i need to do to get it working
>> i have two networks 192.168.0.0 and 10.0.0.0
>>
>> 1. I want all traffic that originates from 192.168.0.0 to go back thru
>> the
>> 192.168.0.0 gateway on 192.168.0.1 (currently the default gateway
>> configured
>> in inetcfg static routing table).
>
> In case the NetWare server is the router you only have to enable routing
> - the server's default gateway is completely irrelevant for that. Of
> course the hosts in the networks have to have the router as the default
> gateway (or a static route).
Clients are fine, lets say that they are on 192.168.1.0 to 192.168.255.0 and
they have default gateways on their subnets the go thru x.x.x.1 (eg.a
192.168.1.0 machine will have a default gateway of 192.168.1.1 and a
192.168.2.0 machine will have a default gateway of 192.168.2.1 etc)
>> 2. I want all ldap traffic, in my case this will be ldap port 389 and
>> 636,
>> that originates from network 10.0.0.0 to go back thru the gateway
>> 10.0.0.1.
>
> Routing is not (application) protocol specific. You can either route all
> IP packets or none a certain route. Please have a look at the routing
> table of your computer to see what I mean.
Yes i understand that routing is not application\protocol specific
When you say "have a look at the routing table" i assume you mean the
netware server....i've done that using TCPCON..i can see the issue..just not
sure how to get it to do what i want
> Also what you might want is called source routing[1] and this is mostly
> blocked because it opens a huuuuge security hole.
>
>> This is required because the firewall requires that if a response is
> to go
>> out to a client then then it must go out over the same network that it
>> originated from. This is the part that's not currently working. At the
>> moment the query comes in from 10.0.0.0 and the response tries to goes
>> out
>> via the deafult gateway on 192.168.0.1 the firewall blocks the outgoing
>> traffic....basic stuff!!!
>
> I wonder where and how you put that firewall if you have only two
> subnets and one router. Is this Bordermanager on the NetWare server?
See above re. the network...the firewall\s are blades within the core
routers and support virtual firewalls that can be applied to any part of the
distribution\access layer of the network.
Does that make any more sense???
> Thorsten
> [1] http://en.wikipedia.org/wiki/Source_routing

VRF-Lite on one 6509; How to route traffic from global to VRF.

To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...

Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed

How to route traffic between two different interfaces

Hi,
I need to setup a routing between two different interfaces on a host.
Inferface ce1 : 192.168.120.12
Inteface ce2 : 192.168.110.50
Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
Regards,
Armin

The problem is a application which is only able to listen on one interface.
To fix this, I have to make all packages visible on one interface.

2 Gateways Sharing One Subnet - How to route traffic in and see each other?

Hello,
First, thanks for your feedback in advance.
I am rolling over from CheckPoint Security Gateways to Fortinet Gateways so I have set up one of each within my datacenter subnet as I wanted to keep the same subnet 192.168.10.0/24 and just roll over from CheckPoint to Fortinet.
My current production datacenter gateway (checkpoint) resides on 192.168.10.1/24 with it's own External IP. 100+ ip-sec vpn tunnels communicate through this gateway and happily talk to several servers on the datacenter side (ex. 192.168.10.20, 192.168.10.22,
etc)
Since I am preparing to roll over from CheckPoint to Fortinet, I've placed the new gateway in the same datacenter at 192.168.10.2/24, with its own external IP. I've also dropped in a test server at 192.168.10.121 with the gateway pointing to the new Checkpoint.
It happily gets out to the internet via the new gateway, 192.168.10.2.
I can get out to the world via each gateway when I am behind my datacenter and I configure the gateways on each server. And, they can all see each other and communicate within the 192.168.10.X network.
However, I cannot go from the a Checkpoint tunnel network (ex: 192.168.50.X) go through the CheckPoint datacenter gateway, 192.168.10.1 (via its tunnel) and hit my Fortinet Test server at 192.168.10.121 (fortinet test server gateway set to 192.168.10.2).
I have the IP statically set in the CheckPoint's DNS server at 192.168.10.20 to 192.168.10.121, but from the 192.168.50.X or any CheckPoint subnet, I can't ping or connect to it.
Vice-versa, I can go from a fortinet subnet (192.168.195.X) and hit my test server 192.168.10.121. However, I cannot go from a Fortinet tunnel network 192.168.195.X, go through my new Fortinet datacenter gateway, 192.168.10.2 (via its tunnel), and
hit any of my CheckPoint-side servers, 192.168.10.20, 192.168.10.22, etc.
Specifically, all of my scanners at the 100+ sites scan and send via an smtp server within my datacenter (192.168.10.56). When I deploy the new gateway, the scanner at the office cannot access this IP address to send the email.
Is there a way to sync two AD/DNS servers within my Datacenter but with different gateways? In theory, I'd like the request to come in from the outside (whether a checkpoint network or the new fortinet) it will look into its respective AD/DNS and
point it to the 192.168.10.56 smtp server.
It does not have to be AD/DNS, but that was the first idea that popped in my head. I am definitely open to the most efficient and stable method as I have to roll over 100 sites.
Thank you again!

Hi Strike First,
One issue is that we have over 100 remote sites that we are converting from CheckPoint to Fortinet. And, we do not have the man power to do a single night cutover as these are offices in remote locations.
I am a little confused on the layout you are proposing:
Set up fortinet as the backend firewall, point all internal gateways to this backend firewall, then have this firewall NAT through the current CheckPoint firewall?
Thank you very much for your guidance.

How to route Multiple static IP addresses

I have 5 static public IP addresses from Comcast Business. I need to host 3 low-volume web sites with distinct domain names which map to unique public IP addresses. I have all three web sites on one computer.
Linksys has told me it can be done (but has NO useful support); and Comcast has told me it can be done. I've searched high & low on forums for a solution but can't find one.
Equipment:
   Linksys WRT300N router
   Webserver is Windows 2003 with 3 NIC cards
   Cable Modem is an SMC 8014
   Cable Provider: Comcast Businesss
I already have the router set up for a Static IP and have entered my first public IP address, cable modem gateway and DNS servers. I have also port-forwarded port 80 to the web server. One web site works fine.
My question is: How can I route the other 4 ip addresses to the web server?
TIA,
bert

If you already have set up the forwarding and it does not work for those other IP addresses, then it can't be done with your router. You'll need a router which supports one-to-one nat which allows you to map multiple public IP addresses to LAN IP addresses.

How to assign a private IP address to a public IP address

Hello.
At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

Hello.
At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

Using a second Public IP Address:

Guys,
My client has been allocated 2 Public IP Addresses from the ISP, but we always just used one of them because there was never a need to use the second. Well, we now have a situation, where we need to port forward port 5060 to two different local IP addresses. The obvious solution would be to use the second public IP Address and port forward it to 5060 and then call it a day. I just don't understand how that works on a cisco router. Does the router know about all of the Public IP's because when I added the main public IP Address on the WAN port, I put the subnet mask in that accounts for the 2 IP's? How do I make the Router aware of my second Public IP Address?
Thanks in advance for all of your help,

You won't be able to port forward the same port on the same public IP to different local IPs because the router will have no way of knowing which local IP it is meant for.
But what you could do is use your existing IP for one of the translations and the second IP for the other eg.
ip nat inside source static tcp 192.168.5.10 5060 interface gi0/1 5060
where gi0/1 is the outside interface and then
ip nat inside source static tcp 192.168.5.11 5060 <unused public IP> 5060
In terms of how it works with the second public IP the ISP has a router with an IP from the same public IP range. So when traffic gets to ISP router inbound from the internet the ISP router requests the mac address of the public IP.
Your router performs proxy arp for that public IP so it responds with the mac address of it's outside interface.
This means that traffic for that IP is sent to your router.
Jon

Public IP address for ERP system

Hi,
A SAP BC consultant gives me a small system landscape for ERP 6.0 and its info. as following:
a. 1 Sol Man system, 1 ERP system for DEV, 1 ERP system for PRO.
b. The Sol Man Server is for the ENTIRE SAP TECHNICAL LANDSCAPE in the single company.
c. The entire SAP Landscape needs to be on a different SUBNET on a different Gigabit switch for optimum performance. The broadcast between 2 subnets will be handled via a router.
d. A router with VPN Capabilities and 2-3 static public IP addresses (THIS IS A MUST).
I don't know why I need 2-3 static public IP addresses if I don't public anything to Internet. Somebody tell me why?
Thanks,
Toan Do

Hi,
Its most prob for saprouter/connection to oss etc.
Regards

Public ip address for asa

HI.......
We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...
Please help .....

The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).
However on the config you attached your outside interface has a private (RFC 1918) address:
interface Ethernet0/3
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.255.2 255.255.255.252
Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".
It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup.

RA VPN into ASA5505 behind C871 Router with one public IP address

Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.255.0.0 0.0.255.255 any
deny   ip 255.0.0.0 0.255.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip host 0.0.0.0 any
deny   icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny   ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: end

Hi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB

How to route traffic to a static public IP address on my private network

Similar Messages

Maybe you are looking for