Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: disjointed external static ip's on same ASA5505?

Re: disjointed external static ip's on same ASA5505? 9 years 1 month ago #28014

ok, looks easy enough...

so for each ip/port, you need one 'static' command, one 'access-list' and one 'access-group'?

where I think I am having trouble understanding is I am trying figure out what are the commands and what are the variables...not having any familiarity with all of the different cisco commands, it all get's jumbled up in that empty space in my skull... :D

so on the first command:

[code:1]static (inside,outside) xxx.yyy.238.241 192.160.1.50 netmask 255.255.255.255[/code:1]

static is a command, inside and outside are vlan name variables, the first ip is the static ip on the outside that we want to use for incoming traffic, the second ip isthe internal ip and then the netmask is...well...the netmask.. :D...right?

on the second command:

[code:1]access-list outside_access_in extended permit ip any host xxx.yyy.238.241[/code:1]

'access-list' is a command, stating we are creating a new access list named 'outside_access_in', extended...ok, this is where I start losing comprehension....

From what I have read, extended refers to...ok, here is where I start getting confused.....I think I am sidetracking myself on something inconsequential...but need some kind of understanding as to what this does.....

here is what I am using to decipher:

articles.techrepublic.com.com/5100-10878_11-1058307.html

that 'extended' is sidetracking me....

I don't know what to think about the last command:

[code:1]access-group outside_access_in in interface outside[/code:1]
The administrator has disabled public write access.

Re: disjointed external static ip's on same ASA5505? 9 years 1 month ago #28016

okay seems I missed something.. :D

here is a good definition of what 'extended' means along with it's alternative:

A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.

another question is that everything I have found so far says you have to assign a number to the acl when you create it instead of the name...is that just because I am finding old school info and the newer stuff lets you create alpha names instead of numbering?
The administrator has disabled public write access.

Re: disjointed external static ip's on same ASA5505? 9 years 1 month ago #28018

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
so on the first command:

[code:1]static (inside,outside) xxx.yyy.238.241 192.160.1.50 netmask 255.255.255.255[/code:1]

static is a command, inside and outside are vlan name variables, the first ip is the static ip on the outside that we want to use for incoming traffic, the second ip isthe internal ip and then the netmask is...well...the netmask.. :D...right?
Yes. One thing here to note is that the net mask is not necessarily the one you used for your private range (say 192.160.1.50/24). Up to my understanding, it defines the internal range of IPs that you want to map to. In this case only one IP: 192.160.1.50 hence we use /32 (255.255.255.255).

Regrading the access-group command:
[code:1]access-group outside_access_in in interface outside[/code:1]
This binds the ACL outside_access_in with the outside interface. The in keyword tells the outside interface/vlan to use the ACL for checking incoming traffic. In other words, the command says: "Hey, interface outside, you use the outside_access_in ACL for checking packets that are entering you"
A standard access-list can only define the SOURCE IP of the traffic. An extended IP access-list can define the source and destination IP address of traffic, along with source and destination port numbers. Also, while a standard access-list only defines IP traffic, an extended access-list can define TCP, UDP, ICMP, IP, AHP, EIGRP, IGRP, ESP, IGMP, OSPF, and PIM traffic.

Ya, Thats a good start. Note here that there might be differences in the in the syntax between router commands and ASA commands. So always make sure that you are reading the right material for the right equipment.
Another question is that everything I have found so far says you have to assign a number to the acl when you create it instead of the name...is that just because I am finding old school info and the newer stuff lets you create alpha names instead of numbering?

I'm not on my ASA right now, so can't check if numbers work. But I'm sure that names will work as I've tried it. Since your just starting on the ASA road. I recommend reading the official stuff from Cisco:

www.cisco.com/en/US/products/ps6120/prod...ion_guides_list.html

This way you are sure of what your getting and getting at. :)
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: disjointed external static ip's on same ASA5505? 9 years 1 month ago #28022

Thanks a bunch for helping me understand this, I will read up a bit more on that link you posted and see if I have any more questions....having someone to bounce this stuff off of makes it easier to comprehend....
The administrator has disabled public write access.

Re: disjointed external static ip's on same ASA5505? 8 years 9 months ago #29608

ok, trying to get my head wrapped around this again....

can I have the 'inside' range set to 192.168.0.0 and then the routed ip that I am working with be pointed inside to an ip on a totally different subnet, ie say pointing it to something within 192.168.1.0?

or does the mapping have to be within the same subnet inside?
The administrator has disabled public write access.

Re: disjointed external static ip's on same ASA5505? 8 years 9 months ago #29611

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
you can have it but you should define the route to reach that new subnet.

Thanks
Patiot
The administrator has disabled public write access.
Time to create page: 0.119 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup