10-06-2011 08:19 AM - edited 02-21-2020 04:28 AM
Hi all! I'm fairly new to the "new" way of setting up NAT rules on the the ASA and need a little help getting going. I'm probably overlooking something very simple but I just can't see it for some reason!!!!! Overall I would like to send all of the traffic from one inside network (192.168.95.0) to one outside address (192.xx.xx.248) using dynamic PAT and the traffic from a second inside netwok (192.168.10.0) to another outside address (192.xx.xx.247) using a static NAT. I have the dynamic PAT working fine but cannot seem to get a static NAT working for the other. Below is the current config I am using. Any insite or suggestions would be greatly appreciated!!!!!!!!!!!
Thank You!
-Ken
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 192
!
interface Ethernet0/1
switchport access vlan 95
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan10
nameif VoIP
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan95
nameif Inside-Interface
security-level 100
ip address 192.168.95.1 255.255.255.0
!
interface Vlan192
nameif Outside-Interface
security-level 0
ip address 192.136.22.248 255.255.255.0
!
ftp mode passive
object network voip
host 192.168.10.2
object network test
subnet 192.168.95.0 255.255.255.0
pager lines 24
mtu Outside-Interface 1500
mtu Inside-Interface 1500
mtu VoIP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network voip
nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns
object network test
nat (Inside-Interface,Outside-Interface) dynamic interface dns
route Outside-Interface 0.0.0.0 0.0.0.0 192.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no service password-recovery
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
10-06-2011 08:33 AM
Hi Ken,
You cannot use the 192.xx.xx.247 ip, since it is already statically mapped to your 192.168.10.2 ip in the network, moreover I did not get your requirement right, you want the whole network 192.168.10.0 to be statically natted to 192.xx.xx.247?? Well thats not possible since, static nat is always one to one nat, you can do dynamic nat for it, but a different public ip.
object network voip
nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns
Hope that helps,
Thanks,
Varun
10-06-2011 08:51 AM
Hi Varun, thanks for your reply! Sorry I should have specified a little more indepth. Essentially I want to send all of my VoIP traffic to IP 192.xx.xx.247 from the inside host address of 192.168.10.2. So in the end my VoIP adapter will have the static IP of 192.168.10.2 and will be statically assigned to the outside address of 192.xx.xx.247.
Thanks again!!!!!
-Ken
10-06-2011 08:55 AM
Well if thats the case, then you already have the nat for it in your configuration:
object network voip
nat (VoIP,Outside-Interface) static 192.xx.xx.247 dns
You don't need to do any. But is it not working???
Thanks,
Varun
10-06-2011 09:03 AM
That is correct. So for testing, if I plug into port ethernet 0/2, assign myself the follwing network info,
ip: 192.168.10.2
mask: 0/24
gateway: 192.168.10.1
dns: 8.8.8.8
I cannot surf. If I plug into port ethernet 0/1, assign myself the follwing network info,
ip: 192.168.95.2
mask: 0/24
gateway: 192.168.95.1
dns: 8.8.8.8
I can surf fine.
Thanks again!
-Ken
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide