cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
0
Helpful
2
Replies

NAT rule on ASA

niLuxx
Level 1
Level 1

Dear community,

 

my company ordered a Cisco ASA 5508-X few months ago. Everything is working now, but I try to understand what Cisco-TAQ did during the configuration in regards to NAT settings. In general we have 3 types of clients, needing a connection to outside interface:

1. normal clients (laptops of employees, server, etc.) => for connection to internet

2. SIP telephones => for incoming and outgoing calls

3. VPN connections

 

The following NAT rules were configured:

1. nat (dmz,outside) source static network_dmz network_dmz destination static VPN VPN no-proxy-arp route-lookup
2. nat (jump,outside) source static network_jump network_jump destination static VPN VPN no-proxy-arp route-lookup
3. nat (internal,outside) source static internal_networks internal_networks destination static VPN VPN no-proxy-arp route-lookup
4. nat (fritzbox,outside) source static fritzbox_host interface service udp_in udp_out
5. nat (fritzbox,outside) source static fritzbox interface service 5060 5060
6. nat (fritzbox,outside) source static network_fritzbox network_fritzbox destination static VPN VPN no-proxy-arp route-lookup
7. nat (outside,outside) source dynamic VPN interface
!
object network obj_any
8. nat (any,outside) dynamic interface

 

NAT rules 4 - 5 are clear to me. They are related to our SIP-device (fritzbox), that is directly connected to the ASA.

NAT rules 1 - 3 and 6 are also clear to me. They are related to the VPN access. I have learned that a VPN connection always needs NAT entries.

 

Not clear to me are rules 7 and 8.

 

Rule 8:

=> Is this rule used for "normal" internet connection? => "Any connection of an internal client that wants to connect to a public ip-address will be NATed?" => that means the pre-requirement for internet-access in our system?

 

Rule 7:

=> is this rule for providing an internet-connection (see rule 8) for the VPN client? If yes, wouldn't rule 8 be already enough, since "Any Source Intf" of rule 8 also includes the "outside" iof rule 7 and "obj_any Source" of rule 8 also includes "VPN" Source of rule 7?

 

Best greetings,

niLuxx

 

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

duplicate post - can you merge both in one thread please..so easy to address the issue.

 

may be i have overlooked the last digit of numbers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

no, it's not a duplicated post. Different devices (ASA5508/ASA5506) and different problems (Checking NAT/problems with ASDM access).

 

Greetings,

niLuxx

Review Cisco Networking for a $25 gift card