Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
5
Helpful
4
Replies

ASA 9.2 // NAT rule

amardram123
Level 1
Level 1

‎09-09-2015 06:14 AM - edited ‎03-11-2019 11:34 PM

Hi All,

NAT is very confusing for me in 8.3 and later :-(. I guess i would have more time to study and understand completely. 

I just got requirement to allow and internal host behind mgmt interface to access internet/https to juniper sites to get some updates.

I noticed no inbound acl on mgmt so i just need to add a NAT rule in my ASA running 9.2, but not sure if my NAT rule will work so wanted to check here.

 

I also noticed below rule is already there to allow internal host to internet via dynamic NAT:

nat (inside,Outside) source dynamic any interface

 

Now i have to allow host behind mgmt interface to access internet and here is my solution:

==========Planning to add this rule to allow 10.255.x.x to access https on internet=================

object network Juniper_STRM
host 10.255.x.x
nat (management,Outside) source dynamic Juniper_STRM interface

=====================================================

Will my solution cause any impact to existing interface NAT ? i hope not and my solution will work !!

 

Thanks Amar

Labels:
0 Helpful
4 Replies 4

Vikram Sonawane
Level 1
Level 1

‎09-09-2015 09:27 AM

By default Management interface is dedicated only for management traffic.But, i read somewhere we can change the default behavior in some models and pass through traffic.

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Vikram Sonawane

‎09-09-2015 11:47 AM

Hi,

Yes that is correct. On the Saleen devices , we cannot use the management interface for data traffic. It is only supposed to be used for the Management of the module(CX , IPS , Sourcefire)

You can however try to get another Layer 3 devices and use that as the next hop to get the management subnet devices out to the internet.

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

0 Helpful

amardram123
Level 1
Level 1
In response to Vibhor Amrodia

‎09-10-2015 12:42 AM

Hi Vibhor,

Below is my mgmt config which says only for mgmt use..

interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.255.x.29 255.255.255.xxx standby 10.255.x.30

 

The host(10.255.x.44) trying to access internet is reachable via mgmt interface..

route management 10.255.x.32 255.255.255.240 10.255.x.17 1

 

I guess, since mgmt interface is configured as "mgmt only" hence it will not allow host traffic to go out to internet and we can route host traffic via inside interface rather then mgmt interface.. I agree this.I will have to change the route on mgmt interafce as well in that case.

My main concern is how the NAT config will be for below requirment..

Host(inside) wants to access internet (outside) on https port..

If it is prior to 8.2, i would have used a Dynamic Policy nat to do this, since new NAT only have two types Manual & object NAT. what should i choose and what will be config ? 

let's say host is 10.255.1.1/32 and need to be natted with outside interface IP.

Thanks,

Amar

 

 

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to amardram123

‎09-10-2015 06:26 AM

Hi,

I think if the requirement is to allow the internal host to access the internet for port 443 , you only need Dynamic NAT configured on the ASA device.

Ports you can filter using an Inbound ACL on the ASA device inside interface to only allow 443 port.

So , I would recommend you to use the Auto NAT for this.

Thanks and Regards,

Vibhor Amrodia

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card