cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


300
Views
10
Helpful
9
Replies
Beginner

ASA 5508

Hello to all this is my first post so i would try to keep it simple and clean.

I got 2 internal ip's that i want to translate them to 2 external ip's .Each one on its own.

Lets say x.x.x.10 to x.x.x.200 and x.x.x.11 to x.x.x.201.

Now which concept should i use i dont want to use dynamic nat with pool since i want to bind each address to its own .I have read about Twice Nat but i am not sure if is the right way to do it .

Any help would be appreciated thank you.

 

9 REPLIES 9
Rising star

Re: ASA 5508

Hi, you can use also dynamic pool. In this way the hosts will not be "exposed" to internet. This is an example:

 

conf t

object network HOST1

 host x.x.x.10

 nat (inside, outside) dynamic x.x.x.200

 

object network HOST2

 host x.x.x.11

 nat (inside, outside) dynamic x.x.x.201

 

otherwise you must use static rules, example:

 

static (inside,outside) x.x.x.x.200 x.x.x.10 netmask 255.255.255.255

static (inside,outside) x.x.x.x.201 x.x.x.11 netmask 255.255.255.255

 

The commands can be different based on the ASA fw verison.

Regards.

Beginner

Re: ASA 5508

Thank you for the reply .

Just clarify something since i am not  the initial configurator of this ASA and my knowledge to it is limited to a point here is what i got now.

 

show xlate
3 in use, 622 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:x.x.x.13 to DMZ:x.x.x.13
flags s idle 407:21:47 timeout 0:00:00
NAT from outside:x.x.x.14 to DMZ:x.x.x.14
flags s idle 407:21:47 timeout 0:00:00

NAT from DMZ:10.x.x.13 to outside:151.x.x.13 flags i idle 0:00:40 timeout 3:00:00

 

 

Now they want the .14 network to be nated dmz to the public  .14 network .Any ideas thank you for 

your time.

Rising star

Re: ASA 5508

Hi, you can try these commands:

 

conf t

object network x.x.x.14

 subnet x.x.x.0 255.255.255.0   !!! you must set ip and subnetmask according to your scenario

 nat (DMZ, outside) dynamic x.x.x.14   !!! configure the public ip

 

Regards.

Beginner

Re: ASA 5508

I am getting that:WARNING: Pool (151.x.x.14) overlap with existing pool.

after doing

show nat pool

i get this results 

NAT pool outside:NatPool, range 151.x.x.13-151.x.x.14, allocated 1.

 

On your previous recommendation  the 

conf t

object network x.x.x.14 ---- is the internal ip i guess

 

Thank you .

Rising star

Re: ASA 5508

Hi, 

object network x.x.x.14 ---- is the internal ip i guess  <= yes

 

and the message WARNING: Pool () overlap with existing pool is just a warning.

 

Anyhow you can remove the ip x.x.x.14 from the existing pool and create a new one if necessary.

Beginner

Re: ASA 5508

Thank you for you replies and sorry for them late response .

So here is what i got now 

 

object network xxxxx
nat (outside,DMZ) static 10.x.x.14
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.14
object network xxxxx
nat (outside,DMZ) static 10.x.x.13
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
access-group Out-DMZ in interface outside
access-group DMZ_acl in interface DMZ
access-group DMZ-inside in interface inside

 

For some reason the x.13 to x.13 Nat is working.

The x.14 to x.14 is not  any ideas ?

Am i missing something ?

Highlighted
Frequent Contributor

Re: ASA 5508

I think when you use:

object network xxxxx
nat (outside,DMZ) static 10.x.x.14

then
object network xxxxx
nat (outside,DMZ) static 10.x.x.13

this cannot work as you already allocated outside ports to 10.x.x.14, hence no ports available also for 10.x.x.13
Here's what I would do:
- remove
object network xxxxx
nat (outside,DMZ) static 10.x.x.13


- check the output of show run nat | 151.x.x.13
the right output should list only the related config from this
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
If you see more lines, just see what other NAT config is using 151.x.x.13

 

If all is OK so far, then you should be able to have from DMZ to outside Internet access, as long as you permit this on the ACL DMZ_acl

 

 

Beginner

Re: ASA 5508

mm it make's sense but what i realy want is that the 2 internal ip address translated to the 2 public ip address .Each one on its own the .13 to .13 and .14 to .14 .Can it be done ?.

Now it works with the .13 if i reload the Asa is goes  ether to 13 or to 14 and i dont want that ,

Thank you for your time.

 

Beginner

Re: ASA 5508

Guys any ideas?