01-16-2019 09:46 PM
Dear community,
my company ordered a Cisco ASA 5508-X few months ago. Everything is working now, but I try to understand what Cisco-TAQ did during the configuration in regards to NAT settings. In general we have 3 types of clients, needing a connection to outside interface:
1. normal clients (laptops of employees, server, etc.) => for connection to internet
2. SIP telephones => for incoming and outgoing calls
3. VPN connections
The following NAT rules were configured:
1. nat (dmz,outside) source static network_dmz network_dmz destination static VPN VPN no-proxy-arp route-lookup
2. nat (jump,outside) source static network_jump network_jump destination static VPN VPN no-proxy-arp route-lookup
3. nat (internal,outside) source static internal_networks internal_networks destination static VPN VPN no-proxy-arp route-lookup
4. nat (fritzbox,outside) source static fritzbox_host interface service udp_in udp_out
5. nat (fritzbox,outside) source static fritzbox interface service 5060 5060
6. nat (fritzbox,outside) source static network_fritzbox network_fritzbox destination static VPN VPN no-proxy-arp route-lookup
7. nat (outside,outside) source dynamic VPN interface
!
object network obj_any
8. nat (any,outside) dynamic interface
NAT rules 4 - 5 are clear to me. They are related to our SIP-device (fritzbox), that is directly connected to the ASA.
NAT rules 1 - 3 and 6 are also clear to me. They are related to the VPN access. I have learned that a VPN connection always needs NAT entries.
Not clear to me are rules 7 and 8.
Rule 8:
=> Is this rule used for "normal" internet connection? => "Any connection of an internal client that wants to connect to a public ip-address will be NATed?" => that means the pre-requirement for internet-access in our system?
Rule 7:
=> is this rule for providing an internet-connection (see rule 8) for the VPN client? If yes, wouldn't rule 8 be already enough, since "Any Source Intf" of rule 8 also includes the "outside" iof rule 7 and "obj_any Source" of rule 8 also includes "VPN" Source of rule 7?
Best greetings,
niLuxx
01-16-2019 10:32 PM - edited 01-16-2019 10:46 PM
duplicate post - can you merge both in one thread please..so easy to address the issue.
may be i have overlooked the last digit of numbers.
01-16-2019 10:34 PM
Hello,
no, it's not a duplicated post. Different devices (ASA5508/ASA5506) and different problems (Checking NAT/problems with ASDM access).
Greetings,
niLuxx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide