Solved: asa 5510 natting

srikanth ath · ‎11-04-2011

Hi

im really poor in understanding the way natting works. really get stuck in inside, outside, nat(0) and global terms in nat.

can you please explain how should i configure natting on these scenarios.

case 1 : inside network 10.10.10.0/24-------------<e1>pix<e0>---------11.11.1.65-11.11.1.70( total 5 pub. IP's)

case 2: inside network 10.10.10.0/24-------------<e1>pix<e0>-----------11.11.1.65 (only 1 pub ip)

case 3: inside network 10.10.10.0/24-------------<e1>pix<e0>-----------11.11.1.65 (only 1 pub ip)

192.168.1.0/24-----------+<e2>

case 4: inside network 10.10.10.0/24 --------------e1> pix <e0> -----------11.11.1.65 & 11.11.1.66 (one pub ip to lan and one web server+ pub ip to web server)

can you guys explain me the differences in these three scenarios..to make me understand practically wtz goin on in natting.

Thanks & Regards

srikanth

varrao · ‎11-04-2011

Hi Srikanth,

Let me explain case by case:

case 1 : If you nat 10.10.10.0/24 to the 5 outside ip's, then the statement would be:

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65-11.11.1.70

all the users in the inside network would be dynamically natted to the 5 public ip's (not really useful, because it gives you an option of only 5 public ip's, whihc mean only 5 users can access the internet at a time)

case 2: if all the inside users are patted to a single public ip,

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65

this is more useful, since here the users would take the ports from approx 1200 to 65535 to go to the internet, so a large number of users can access internet at a time.

case 3: two subnets are patted to the same public ip

nat (inside) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.1.0 255.255.255.0

global (outside) 1 11.11.1.65

so now both the subnets when they go to internet would be port address translated to the public ip.

case 4: the internal subnet is patted to one public ip and the webserver is statically natted to another public ip.

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65

static (inside,outside) 11.11.1.66 10.10.10.10

remember your static commands are for bi-directional traffic, whihc means from the internet as well any one can access it on the public ip, but nat and globa statements are only for traffic going from inside to outside.

Please go through the below document as well to understand better:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope that helps,

Thanks,

Varun

Do rate helpful posts

Thanks,
Varun Rao

View solution in original post

varrao · ‎11-04-2011

Hi Srikanth,

Your requirement is not very clear to me... can you explain in details what do you exactly need in it?? Do you want to pat all the users in the 10.10.10.0/24 network to use the public ip's when they access the internet?

I would be definitely able to help you once i have your requirements clear.

Thanks,

Varun

Thanks,
Varun Rao

srikanth ath · ‎11-04-2011

Hi varun

thanks for the reply, in all the below scenarios

example case1 : how to nat ?

case2: how to nat ? and the same with the other two scenarios

case 1 : inside network 10.10.10.0/24-------------pix---------11.11.1.65-11.11.1.70( total 5 public. IP's)

case 2: inside network 10.10.10.0/24-------------pix-----------11.11.1.65 (only 1 public ip)

case 3: inside network 10.10.10.0/24-------------pix-----------11.11.1.65 (only 1 pubic ip)

192.168.1.0/24-----------+

case 4: inside network 10.10.10.0/24 --------------e1> pix -----------11.11.1.65 & 11.11.1.66 (one public ip to lan subnet and one web server+ public ip to web server)

simple example: i dont understand what is the thing he has done here, to understand in a better way have given the above example cases with diff. requirement.

lobal (outside) 1 172.16.199.3-172.16.199.62 netmask 255.255.255.192

nat (inside) 0 192.168.200.0 255.255.255.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

thanks & regards

srikanth

varrao · ‎11-04-2011

Hi Srikanth,

Let me explain case by case:

case 1 : If you nat 10.10.10.0/24 to the 5 outside ip's, then the statement would be:

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65-11.11.1.70

all the users in the inside network would be dynamically natted to the 5 public ip's (not really useful, because it gives you an option of only 5 public ip's, whihc mean only 5 users can access the internet at a time)

case 2: if all the inside users are patted to a single public ip,

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65

this is more useful, since here the users would take the ports from approx 1200 to 65535 to go to the internet, so a large number of users can access internet at a time.

case 3: two subnets are patted to the same public ip

nat (inside) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 192.168.1.0 255.255.255.0

global (outside) 1 11.11.1.65

so now both the subnets when they go to internet would be port address translated to the public ip.

case 4: the internal subnet is patted to one public ip and the webserver is statically natted to another public ip.

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 11.11.1.65

static (inside,outside) 11.11.1.66 10.10.10.10

remember your static commands are for bi-directional traffic, whihc means from the internet as well any one can access it on the public ip, but nat and globa statements are only for traffic going from inside to outside.

Please go through the below document as well to understand better:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Hope that helps,

Thanks,

Varun

Do rate helpful posts

Thanks,
Varun Rao

srikanth ath · ‎11-04-2011

Thanks for ur effortful time Varun

will get back if i face any problem.

thanks

srinkanth