topic Re: DYNAMIC NAT ISSUE ON ASA 5515x in Network Security

DYNAMIC NAT ISSUE ON ASA 5515x

Jesutofunmi O — Fri, 21 Feb 2020 16:20:11 GMT

Hello Guys,

My Connection is such as;
ISP--->ASA--->CoreSwitch--->AccessSwitches--->LAN(Servers)

See skeletal config below for the named issue;

interface GigabitEthernet0/1
description ###Internal MEMBER-1 Link###
nameif INSIDE
security-level 100

ip address 10.10.10.0 255.255.255.0

object network LAN2
subnet 10.33.33.0 255.255.255.0

object network LAN2
nat (INSIDE,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

Now, in my DHCP Server (Core Switch), I had exempted 10.10.10.1 to 10.10.10.50 from DHCP. These reserved IPs are the IPs I use for my internal servers. I don't want those Servers to go out to the internet, but I already did a default route for my internet connection which automatically includes those IPs. How do I exempt them from the dynamic NAT and yet allow the remaining IPs from 10.10.10.51-254 have access to the internet?

Re: DYNAMIC NAT ISSUE ON ASA 5515x

balaji.bandi — Tue, 09 Oct 2018 16:44:17 GMT

you can create a ACL to allow only from 10.10.10.51-254

and deny 10.10.10.1 to 10.10.10.50

Other side you can to NAT only for the rquired range 10.10.10.51-254

Re: DYNAMIC NAT ISSUE ON ASA 5515x

Rahul Govindan — Tue, 09 Oct 2018 16:47:10 GMT

You can add an ACL on the inside interface to block these servers going out. You just have to create an object/objectgroup that includes the ip range needed.

access-list inside-out extended deny ip <object-group of servers> any

access-list inside-out extended permit ip any any

access-group inside-out in inside

If you already have an ACL, then just add statement#1 to that one.

The above is under the assumption that your internal routing is handled by your core switch.