Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
4
Replies

ASA 8.3+ Static NAT Help

Ken D
Level 1
Level 1

‎10-06-2011 08:19 AM - edited ‎02-21-2020 04:28 AM

Hi all! I'm fairly new to the "new" way of setting up NAT rules on the the ASA and need a little help getting going. I'm probably overlooking something very simple but I just can't see it for some reason!!!!! Overall I would like to send all of the traffic from one inside network (192.168.95.0)  to one outside address (192.xx.xx.248) using dynamic PAT and the traffic from a second inside netwok (192.168.10.0) to another outside address (192.xx.xx.247) using a static NAT. I have the dynamic PAT working fine but cannot seem to get a static NAT working for the other. Below is the current config I am using. Any insite or suggestions would be greatly appreciated!!!!!!!!!!!

Thank You!

-Ken

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 192

!

interface Ethernet0/1

switchport access vlan 95

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan10

nameif VoIP

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan95

nameif Inside-Interface

security-level 100

ip address 192.168.95.1 255.255.255.0

!

interface Vlan192

nameif Outside-Interface

security-level 0

ip address 192.136.22.248 255.255.255.0

!

ftp mode passive

object network voip

host 192.168.10.2

object network test

subnet 192.168.95.0 255.255.255.0

pager lines 24

mtu Outside-Interface 1500

mtu Inside-Interface 1500

mtu VoIP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

object network test

nat (Inside-Interface,Outside-Interface) dynamic interface dns

route Outside-Interface 0.0.0.0 0.0.0.0 192.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no service password-recovery

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎10-06-2011 08:33 AM

Hi Ken,

You cannot use the 192.xx.xx.247 ip, since it is already statically mapped to your 192.168.10.2 ip in the network, moreover I did not get your requirement right, you want the whole network 192.168.10.0 to be statically natted to 192.xx.xx.247?? Well thats not possible since, static nat is always one to one nat, you can do dynamic nat for it, but a different public ip.

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Ken D
Level 1
Level 1
In response to varrao

‎10-06-2011 08:51 AM

Hi Varun, thanks for your reply! Sorry I should have specified a little more indepth. Essentially I want to send all of my VoIP traffic to IP 192.xx.xx.247 from the inside host address of 192.168.10.2. So in the end my VoIP adapter will have the static IP of 192.168.10.2 and will be statically assigned to the outside address of 192.xx.xx.247.

Thanks again!!!!!

-Ken

0 Helpful

varrao
Level 10
Level 10
In response to Ken D

‎10-06-2011 08:55 AM

Well if thats the case, then you already have the nat for it in your configuration:

object network voip

nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns

You don't need to do any. But is it not working???

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Ken D
Level 1
Level 1
In response to varrao

‎10-06-2011 09:03 AM

That is correct. So for testing, if I plug into port ethernet 0/2, assign myself the follwing network info,

ip: 192.168.10.2

mask: 0/24

gateway: 192.168.10.1

dns: 8.8.8.8

I cannot surf. If I plug into port ethernet 0/1, assign myself the follwing network info,

ip: 192.168.95.2

mask: 0/24

gateway: 192.168.95.1

dns: 8.8.8.8

I can surf fine.

Thanks again!

-Ken

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card