topic ASA 8.3+ Static NAT Help in Network Security

ASA 8.3+ Static NAT Help

Ken D — Fri, 21 Feb 2020 12:28:49 GMT

Hi all! I'm fairly new to the "new" way of setting up NAT rules on the the ASA and need a little help getting going. I'm probably overlooking something very simple but I just can't see it for some reason!!!!! Overall I would like to send all of the traffic from one inside network (192.168.95.0) to one outside address (192.xx.xx.248) using dynamic PAT and the traffic from a second inside netwok (192.168.10.0) to another outside address (192.xx.xx.247) using a static NAT. I have the dynamic PAT working fine but cannot seem to get a static NAT working for the other. Below is the current config I am using. Any insite or suggestions would be greatly appreciated!!!!!!!!!!!

Thank You!

-Ken

ASA Version 8.4(2)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 192

interface Ethernet0/1

switchport access vlan 95

interface Ethernet0/2

switchport access vlan 10

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan10

nameif VoIP

security-level 100

ip address 192.168.10.1 255.255.255.0

interface Vlan95

nameif Inside-Interface

security-level 100

ip address 192.168.95.1 255.255.255.0

interface Vlan192

nameif Outside-Interface

security-level 0

ip address 192.136.22.248 255.255.255.0

ftp mode passive

object network voip

host 192.168.10.2

object network test

subnet 192.168.95.0 255.255.255.0

pager lines 24

mtu Outside-Interface 1500

mtu Inside-Interface 1500

mtu VoIP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

object network test

nat (Inside-Interface,Outside-Interface) dynamic interface dns

route Outside-Interface 0.0.0.0 0.0.0.0 192.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no service password-recovery

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

ASA 8.3+ Static NAT Help

varrao — Thu, 06 Oct 2011 15:33:53 GMT

Hi Ken,

You cannot use the 192.xx.xx.247 ip, since it is already statically mapped to your 192.168.10.2 ip in the network, moreover I did not get your requirement right, you want the whole network 192.168.10.0 to be statically natted to 192.xx.xx.247?? Well thats not possible since, static nat is always one to one nat, you can do dynamic nat for it, but a different public ip.

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

Hope that helps,

Thanks,

Varun

ASA 8.3+ Static NAT Help

Ken D — Thu, 06 Oct 2011 15:51:07 GMT

Hi Varun, thanks for your reply! Sorry I should have specified a little more indepth. Essentially I want to send all of my VoIP traffic to IP 192.xx.xx.247 from the inside host address of 192.168.10.2. So in the end my VoIP adapter will have the static IP of 192.168.10.2 and will be statically assigned to the outside address of 192.xx.xx.247.

Thanks again!!!!!

-Ken

ASA 8.3+ Static NAT Help

varrao — Thu, 06 Oct 2011 15:55:06 GMT

Well if thats the case, then you already have the nat for it in your configuration:

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

You don't need to do any. But is it not working???

Thanks,

Varun

ASA 8.3+ Static NAT Help

Ken D — Thu, 06 Oct 2011 16:03:56 GMT

That is correct. So for testing, if I plug into port ethernet 0/2, assign myself the follwing network info,

ip: 192.168.10.2

mask: 0/24

gateway: 192.168.10.1

dns: 8.8.8.8

I cannot surf. If I plug into port ethernet 0/1, assign myself the follwing network info,

ip: 192.168.95.2

mask: 0/24

gateway: 192.168.95.1

dns: 8.8.8.8

I can surf fine.

Thanks again!

-Ken