02-25-2012 09:29 AM - edited 03-11-2019 03:34 PM
Please assist in a design problem we have iminent. I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
The ASA NAT config is below:
global (OUTSIDE) 1 interface
global (INSIDE) 1 interface
global (3RDPARTY) 1 interface
global (INTERNET) 1 interface
global (ADSL) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (3RDPARTY) 1 0.0.0.0 0.0.0.0
nat (WIRELESS) 0 access-list NO_NAT_WLS
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (VPN-TRANSIT) 0 access-list VPN-TRANSIT_nat0_outbound
nat (vlan99) 1 10.99.0.0 255.255.0.0
static (INSIDE,3RDPARTY) 172.31.45.98 10.111.0.104 netmask 255.255.255.255
static (WIRELESS,INSIDE) 10.111.1.0 192.168.27.0 netmask 255.255.255.0
static (INSIDE,WIRELESS) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (3RDPARTY,INSIDE) 10.110.0.15 172.31.45.100 netmask 255.255.255.255
static (WIRELESS,INSIDE) Handheld_nat Handheld netmask 255.255.255.255
Is it possible all I need is static inside to outside statements, as they are two-way in IOS? Any ideas or comments will be gratefully received!
02-25-2012 11:34 PM
What is the exact problem you are facing in NAT ? Routers supports both static and dynamic NAT ?
And a router can have subinterfaces also ....
It is your choice and method how you want to deploy the settings ?
Give diagram or further details in table form to know more of your requirements ?
NAT on router is avaailble even if you have basic IP BASE OS in router ?
02-26-2012 05:21 AM
Thank you for your reply - I think at this stage I am just trying to verify some base NAT config that I should put on the router. I would post a problem with the functionality in a different discussion.
I was planning to use the "overload" command and an access-list identifying subnets to exclude and allow, to create dynamic NAT (PAT) on both the Public Internet and 3rd party interfaces (one statement for each interface). Then use some static NAT statements to map the host to host translations on the 172.31 (3rd party) and 10.110 & 10.111 (Inside private) subnets.
I undestand that an interface has to have either an "inside" or "outside" statement to participate in NAT, so I guess that I must assign the "outside" statement to the 3rd party interface, or else our internal 10.110 addresses will not be hidden. I do not think it will be a problem, as I believe the 3rd party subnet does not need to access the Internet (presuming this would be impossible as they are both "outside" NAT interfaces?).
I have included a basic diagram of the target router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide