topic ASA 5510 with Static VLAN NAT in Network Security

ASA 5510 with Static VLAN NAT

DavidReisner — Mon, 11 Mar 2019 22:40:40 GMT

Hi friends,

I am saravanan from Utah. One of our customers has asked us to nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server thorugh a vendor mangaed voice router..

Internet for everything else

Inside ------------------------> ASA 5510 -----------------> Voice router ------> outsdie to public phone server only

10.10.1.0/20 10.10.1.7/320 172.16.20.1/24

Voice------------------------->

172.16.20.0/24 172.16.20.254/24

Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using nonat acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.

So I think I need the follwoing static but I get the error below:

static (Inside,Voice) interface 10.10.0.0 netmask 255.255.240.0

WARNING: All traffic destined to the IP address of the Voice interface is being redirected.

WARNING: Users will not be able to access any service enabled on the Voice interface.

ERROR: Invalid netmask with interface option

Sanitized ASA Config

ASA Version 8.2(5)

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.10.1.7 255.255.252.0

interface Ethernet0/1.2

vlan 2

nameif Voice

security-level 100

ip address 172.16.20.254 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0

access-list nonat extended permit ip 172.16.20.0 255.255.255.0 10.10.0.0 255.255.240.0

access-list Voice_in extended permit ip any any

access-list Voice_in extended permit icmp any any

access-list Voice_in extended permit gre any any

access-list Voice_in extended permit tcp any any

access-list Voice_in extended permit udp any any

access-list Inside_in extended permit ip any any

access-list Inside_in extended permit icmp any any

access-list Inside_in extended permit gre any any

access-list Inside_in extended permit tcp any any

access-list Inside_in extended permit udp any any

global (Outside) 10 interface

nat (Inside) 0 access-list nonat

nat (Inside) 10 10.10.0.0 255.255.240.0

nat (Voice) 0 access-list nonat

access-group Inside_in in interface Inside

access-group Voice_in in interface Voice

static(inside,Voice)10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0

route Inside XX.XX.XX.XX XXX.XXX.XXX.XXX 172.16.20.1 1

Any help would be appreaciated!

Thanks

Re: ASA 5510 with Static VLAN NAT

zac192000 — Sun, 11 Mar 2012 06:19:52 GMT

Static(inside,inside) 10.10.0.0 255.255.255.240 10.10.0.0 255.255.240.0

Static(voice,voice) 172.16.20.0 255.255.255.0 172.16.20.0 255.255.255.0

Sent from Cisco Technical Support iPad App

Re: ASA 5510 with Static VLAN NAT

DavidReisner — Mon, 12 Mar 2012 00:21:37 GMT

Zill,

Thanks for the quick reply. The only commands that the ASA will take similar to what you put are:

static (Inside,Inside) 10.10.0.0 10.10.0.0 netmask 255.255.240.0

static (Voice,Voice) 172.16.20.0 172.16.20.0 netmask 255.255.240.0

And after entering these it still doesn't work.

Also, since I have the no nat in there for these same networks, wouldn't the ASA get confused when I add those two statics?

Re: ASA 5510 with Static VLAN NAT

zac192000 — Mon, 12 Mar 2012 00:47:27 GMT

No the statements that I send to you is for the traffic that is initiating from voice zone to voice zone and from inside zone to inside zone...

One thing you need to make sure....If your requirement is to NAT the traffic from inside to voice then you should not use nonat statments,because if NAT-Control is enabled then you have to NAT every traffic whether your source is from inside to inside or from voice to voice or from inside to voice or from voice to inside.

You are using nonat from inside to voice and from voice to inside and at the same time you are using static 1 to 1 mapping for both networks.As per rules,acl will be checked first and traffic will never be natted and static mappings will never come into play.

So you should remove your nonat statments.

Add the static statments that I mentioned you earlier ,remove the nonat statments and let me know .

Thanks

Sent from Cisco Technical Support iPad App

Re: ASA 5510 with Static VLAN NAT

zac192000 — Mon, 12 Mar 2012 00:48:31 GMT

And use the correct subnet mask....I have written a different subnet mask in my first post and you ate using a different one....Just make sure....

Thanks

Sent from Cisco Technical Support iPad App

Re: ASA 5510 with Static VLAN NAT

DavidReisner — Mon, 19 Mar 2012 16:44:54 GMT

NAT-Control is not enabled