11-20-2009 05:37 AM - edited 03-11-2019 09:41 AM
Hi,
I have a problem where I'd like to nat a pool of ip's in my dmz to a single or pool of ip's on my inside network. I have a vpn device that is going to hand out a range of ip to vpn clients, the range is 172.15.16.0/24. The dmz is on the range 10.45.96.0/24. I'd like to nat these vpn pool of ip's 172.15.16.0/24 to a single or pool of ip addresses on my inside interface (10.45.60.0) on my cisco asa. Can someone please help me with the configuration?
Also how can I restrict this range of ip's i.e the VPN pool or the natted inside pool to accessing a few pre-determined ip's and port numbers, i.e where can I place the acl before or after nat?
Many thanks
Dan
Solved! Go to Solution.
11-20-2009 05:41 AM
Dan
To a single IP
nat (outside) 1 172.16.5.0 255.255.255.0 outside
global (inside) 1
to a pool
nat (outside) 1 172.16.5.0 255.255.255.0 outside
global (inside) 1
to restrict access use an outbound acl on the inside interface.
Jon
11-20-2009 05:41 AM
Dan
To a single IP
nat (outside) 1 172.16.5.0 255.255.255.0 outside
global (inside) 1
to a pool
nat (outside) 1 172.16.5.0 255.255.255.0 outside
global (inside) 1
to restrict access use an outbound acl on the inside interface.
Jon
11-20-2009 05:58 AM
Hi Jon,
Many Many thanks for that. Can I just ask is there a benfit of using either single or multiple ip's for the inside ip's?
Thanks
Dan
11-20-2009 07:24 AM
Dan
Depends on a couple of things
1) If you use a single address then it will have to do PAT (port address translation). This is fine as long as it doesn't break the application which it can do.
2) More importantly if you use a single address it is a lot harder to tie that to the real IP address. If you want to log what the VPN clients are doing then it is easier to do a one-to-one translation, log this translation and then track down what that Natted IP address did.
3) The other one is obviously a shortage of addresses which is often why PAT is used going from inside to the Internet. But that doesn't apply in this case as you can use any private addressing you like.
Jon
11-20-2009 07:31 AM
You're a star Jon.
Many thanks
Dan
11-20-2009 07:46 AM
No problem, glad to have helped.
11-20-2009 07:49 AM
Hi Jon,
One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?
Thanks
Dan
11-20-2009 08:00 AM
Dan
The static command creates a permanent NAT translation and is bi-directional ie. connections can be initiated from both ways.
But all you want to do is NAT incoming VPN connections so you can do this dynamically because connections will only ever be initiated from the VPN client.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide