Re: 8.4 Configuration Assistance

chevymannie · ‎03-21-2013

First off, I'm by no means an ASA expert and I was just starting to understand things before 8.3 came out. I have a 5512 that I'm trying to put in. I think I've got everything configured correctly for the most part, but I need help with the last piece. The ASA itselt is going to be connected to the ISP router, but the kicker is that the ISP router also has a metro-E connection to another site. The link to the router that is currently in place is trunked to the ISP router. One VLAN for the internet and the other VLAN for the metro-E connection. Configuring the trunk to the ASA is not a problem, I just need help making sure traffic flows between the inside interface and the metro-E connection. I've never really understood how that works and I definitely don't know how to get it working with the changes to the nat commands. I'd appreciate explanations. I'm really don't understand the cisco documentation on this.

Jouni Forss · ‎03-21-2013

Hi,

I just published a NAT 8.3+ document on the documentation section yesterday.

Maybe it will help you with the configuration format?

https://supportforums.cisco.com/docs/DOC-31116

Are you saying that the Trunk interfaces holds

1 ISP connection
1 Remote Site connection

If so I guess shouldnt be any special problems there regarding NAT as its just one more LAN interface on the ASA.

As a base rule, if you have 2 different LAN interfaces on the ASA and you have no need to NAT address between them then simply dont configure any NAT at all. The ASA will by default allow all traffic through without NAT if there is no NAT.

- Jouni

chevymannie · ‎03-21-2013

Thanks Jouni. Yes the trunk link has the ISP conneciton and the Metro-E Connection to the remote site. So if I have these two interfaces called inside and metro-E and inside has a security-level of 100 and metro-E 90, what should I do with NAT to ensure communication between the two interfaces?

Jouni Forss · ‎03-21-2013

Hi,

If there is no overlapping between the 2 sites (local and remote) network addresses and there are otherwise no need to NAT traffic between them you simply dont configure any NAT for them. Simple as that.

Ofcourse you will have to remember to allow the traffic with the ACL.

For example, the simplest customer environments of ours have an ASA firewall (Security Context in an ASA in Multiple Context Mode) with WAN interface and 2 LAN interfaces for example. In this case there is only need to configure Dynamic PAT so that both sites can access the Internet. No other NAT is configured and the 2 sites can communicate with eachother without ever having to configure any type of NAT.

In those cases I basically have

object-group network DEFAULT-PAT-SOURCE

description Default PAT Source Networks

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Which will basically do the following

object-group network DEFAULT-PAT-SOURCE = defines the source networks that need PAT to Internet
(any,outside) = defines that the source interface can be "any" and destination interface "outside". The previous "object-group" lists the networks for which the PAT is done for so it only applies to them.
after-auto = this moves the NAT rule to Section 3 so it doesnt possibly override any other NAT rules now or in the future
interface = defines that the "outside" interface IP address is used for the PAT (just like in the old "global" commands)

- Jouni