topic Re: ASA ISP Interface Setup in Network Security

ASA ISP Interface Setup

edw — Sat, 22 Feb 2020 07:35:55 GMT

Hi,

I have a ASA and tried to remove my external router which we have had for very long time. My main ISP connection work as follows (real IPs not used but the principle the same):

192.168.1.104 55.255.255.248 GW: 192.168.1.105

The IP NAT ranges for my clients is:

192.168.5.0 255.255.252.0

How do I get this configured on a ASA interface ? I have set the interface to have an IP address of 192.168.1.107 and a route of 0.0.0.0 0.0.0.0 192.168.1.105

I added a object group etc for NAT using a range like 192.168.5.241 192.168.5.245. But while this translation is happening according to the ASA I'm not getting any traffic out, for instance can't ping 8.8.8.8 etc??? Can't seem to find any examples of similar configurations even thou there must be some as this is pretty standard ISP configuration....

Thanks

Re: ASA ISP Interface Setup

Dennis Mink — Wed, 11 Jul 2018 11:14:47 GMT

so what is supposed to do the NAT? your firewall or some ISP device in front of it?

where is the 55. public IP? is that what you configured on the outside interface of your ASA?

if so, you need to do a dynamic nat (aka nat overload) from your internal subnet to the public IP.

and a static default route on your ASA to point to your ISP.

if this is not concise maybe add a small diagram of your set up

Re: ASA ISP Interface Setup

Jesper Erbs — Wed, 11 Jul 2018 11:58:46 GMT

Hi,

Did you define a nameif and security level?

A quick simple config would normally look like this:

interface <inside-interface>

security-level 100

nameif inside

ip address 192.168.5.104 255.255.255.0

interface <outside-interface>

security-level 0

nameif outside

ip address 192.168.1.104 255.255.255.248

route outside 0.0.0.0 0.0.0.0 192.168.1.105

nat (inside,outside) source dynamic any interface

Re: ASA ISP Interface Setup

edw — Wed, 11 Jul 2018 12:40:06 GMT

Thanks - The internal IPs are on the 10.1.x.x 255.255.255.0. We are needing to NAT to the 192.168.5.0 255.255.252.0. The ISP has a sub network so the external interface is 192.168.1.107 and GW 192.168.1.105. This is going straight to the ISP. All the 192.168.x.x IP's are internet routable.

I'm using NAT to do 10.1.x.x -> 192.168.5.0/22. But I don't appear to be getting any internet traffic. I know this setup work as I have a similar NAT on a router (which I'm trying to get rid of) so the connection or ISP isn't the issue. My question is that under this configu who do you do it on a ASA implementation of doing NAT onto of another public subnet.. if that makes sense.

Re: ASA ISP Interface Setup

edw — Wed, 11 Jul 2018 12:41:47 GMT

Re: ASA ISP Interface Setup

edw — Wed, 11 Jul 2018 18:45:55 GMT

Anyone? 🙂

Re: ASA ISP Interface Setup

Jesper Erbs — Wed, 11 Jul 2018 20:03:51 GMT

If I understand you correctly, you want to do static one to one NAT.

10.1.5.2 -> 192.168.5.2

10.1.5.3 -> 192.168.5.3

And so forth.

An example of that would be:

object network 10.1.5.0-24

subnet 10.1.0.0 255.255.255.0

object network 192.168.5.0-24

subnet 192.168.5.0 255.255.255.0

nat (inside,outside) source static 10.1.5.0-24 192.168.5.0-24