topic Re: ASA NAT question in Network Security

ASA NAT question

hanimolani — Mon, 11 Mar 2019 17:41:32 GMT

Dear all

I have a ip valid range from my isp

I want to nat my inside users to ip vaid range with dynamic NAT

my outside asa interface has one of these ip valids to see outside world

but the other ip in my range do not belong to any devices..

how is it possible that my clients nat to my all ip range

also i have a web server in my dmz

i want also make a static but i do not know how can i bind an valid ip into non valid ip

i mean i do not know whre this valid ip must be set!!

thank you

Re: ASA NAT question

Federico Coto Fajardo — Wed, 05 May 2010 16:52:29 GMT

Hi,

Please post the output from:

sh run nat

sh run global

sh run static

And let us know which are the real IPs that you want to NAT to which mapped IPs.

Federico.

Re: ASA NAT question

astripat — Wed, 05 May 2010 19:41:20 GMT

Hi,

Lets say that the ISP has provided the following range:

1.1.1.1-1.1.1.10

And, 1.1.1.1 is assigned to the outside interface. Also, 10.10.10.1 is the dmz web server which you want to publish to the outside world.

You can do the following:

nat (inside) 1 0 0

global (outside) 1 interface

static (dmz,outside) 1.1.1.2 10.10.10.1

access-list outside_access_in permit tcp any host 1.1.1.2 eq 80

access-group outside_access_in in interface outside

HTH

Ashu

Re: ASA NAT question

iliafirewall — Thu, 06 May 2010 10:53:49 GMT

umm..

I think there is miss understanding

the problem is that i have a valid range from my ISP

i want make a nat from my inside network to whole range

but the problem is only one ip from that range is assigned to my outside interface and rest od IP are not assign to any machine or any device

how can make a dynamic nat to this range according that no device or machine assigned to these IP addressess.

by the way my ASA verssion is 8.3.1

regards

Re: ASA NAT question

peter.kersting — Thu, 06 May 2010 16:14:40 GMT

Hi Hani

If my understanding of the question is correct you want to NAT inside hosts to public IPs in the range assigned to you
by your ISP?

If so you can do it like this:

global (outside) 1 1.1.1.1-1.1.1.10

nat (inside) 1 0 0

If you have more inside clients than public IPs, probably best to aslo include a fallback to PAT using the outside interface address:

global (outside) 1 interface

Pete

Re: ASA NAT question

hanimolani — Fri, 07 May 2010 10:27:52 GMT

Dear pete

My problem is where the range IP address must be set?

because these ip valid range address do not belong any thing into my network

thanks

Re: ASA NAT question

Jennifer Halim — Fri, 07 May 2010 10:32:47 GMT

If you would like to use that new IP range for dynamic NAT for your internal users, then you would configure it on the "global (outside)" statement.

Just have to make sure that the router in front of your ASA (connected to the outside interface of the ASA), is routing the new IP range towards the ASA outside interface.