Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
2
Replies

A few ASA 8.4 config questions

gwhuang5398
Level 2
Level 2

‎03-06-2012 11:23 AM - edited ‎03-11-2019 03:38 PM

I have a Internet-facing ASA5580 configured as the following. Can someone help me with a few config questions?

Outside IP: 192.100.100.2/24 (default gateway to 192.100.100.1)

Inside IP: 10.100.100.2, connecting to internal switch at 10.100.100.1

Internal network is in 10.0.0.0/8, including users and servers. Some servers will be static NAT'd and others will be PAT'd just like users.

1. Can I use multiple IP in 192.100.100.2/25 to PAT? for example PAT users in 10.100.0.0/16 to 192.100.100.10, PAT 10.110.0.0/16 to 192.100.100.11, and PAT servers in 10.120.0.0/16 to 192.100.100.12?

2. Can I use a different public subnet 192.100.101.0/24 to static NAT servers? No interfaces on ASA has IP in 192.100.101.0/24.

3. In relation to the last 2 questions, does NAT'd or PAT'd IP have to be in a subnet of any ASA interfaces or any public routable IP owned by me is ok?

4. HTTP inspection is in the default global inspection policy for TCP 80. Do I have to create a different policy to have inspection for HTTPS? I'm not sure if TCP inspection is in the global policy. If it is, I can just use that for HTTPS.

5. I have a internal subnet 10.50.100.1/24 allocated for remote VPN clients. If a user VPN in, then goes to Internet, his IP would be PAT'd like any other internal users. Is that right? I want to confirm there's nothing special I have to do in that case.

6. If some users want to be able to VPN into other companies from the internal network (via IPSec VPN or SSL VPN), what kind of access-list rules or NAT rules I need to check into?

Thanks a lot

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-06-2012 11:51 AM

Hello,

1. Can I use multiple IP in 192.100.100.2/25 to PAT? for example PAT users in 10.100.0.0/16 to 192.100.100.10, PAT 10.110.0.0/16 to 192.100.100.11, and PAT servers in 10.120.0.0/16 to 192.100.100.12?

Yes, You can do it using Policy Nat

2-Can I use a different public subnet 192.100.101.0/24 to static NAT servers? No interfaces on ASA has IP in 192.100.101.0/24.?

Yes, you can as soon as you configure the nat statement the ASA will start to proxy-arp those ip address not configured on any interface on the ASA.

3-In relation to the last 2 questions, does NAT'd or PAT'd IP have to be in a subnet of any ASA interfaces or any public routable IP owned by me is ok?

As I already said on my last answer, no, that is no need it.

4. HTTP inspection is in the default global inspection policy for TCP 80. Do I have to create a different policy to have inspection for HTTPS? I'm not sure if TCP inspection is in the global policy. If it is, I can just use that for HTTPS.

-The thing with HTTPS is that its traffic will be encrypted so the ASA will not be able to inspect some of the parameters included in the payload of each packet.

-By default the ASA will inspect the TCP and UDP protocols, the inspections that you see over this policy-map's is for additional parameters to check, additionals channels to be open,etc.

5-I have a internal subnet 10.50.100.1/24 allocated for remote VPN clients. If a user VPN in, then goes to Internet, his IP would be PAT'd like any other internal users. Is that right? I want to confirm there's nothing special I have to do in that case.

That is correct, but you will need to permit same-security intra-interface traffic for the U-turning traffic to work.

Also do a nat (outside,outside)

6-If some users want to be able to VPN into other companies from the internal network (via IPSec VPN or SSL VPN), what kind of access-list rules or NAT rules I need to check into?

There is a option to allow the VPN connections to bypass the ACL applied to a interface, you can see if its enabled by doing:

sh run all sysopt

If you see a syspot permit vpn-connections that will let you know that VPN connections (encrypted traffic that matches one of your tunnel-groups previously configured will be allowed by defautl so no concern for ACL's)

Do rate all the helpful posts from the support community.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

gwhuang5398
Level 2
Level 2

‎03-06-2012 02:06 PM

Thanks a lot Julio.

For remote VPN subnet, is it considered as attached to ASA outside interface or inside interface? It was a little confusing using nat (outside,outside) to PAT the VPN subnet when going to Internet.

My question #6 is actually about internal users using VPN to connect to other companies, not our remote users VPN to my ASA. I was wondering if I need to do anything special about that.

Thanks again

Gary

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card