01-06-2008 10:38 AM - edited 02-21-2020 01:51 AM
Hi all,
May be a dumb question.One of my client planning on creating RDP access to few servers sitting on 'Inside' of ASA5510. Client requested ISP /24 pulic address space and was provided with 1.1.1.0/24 (ips changed). Also,ISP provided client with ASA ouside i/f IP: 2.2.2.2/30 and Default gateway for ASA (ISPs modem) as 2.2.2.1/30.
So what is the best way to use the ISP assigned public IPs to provide RDP access to servers inside..? Can I assign 1.1.1.1/24 to ASA inside and can create 'NO NAT' to access internet and also RDP.
Or I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested). So is there any way using same pvt ip space and assigned /24 ip addresses to create Internet/RDP access?
Any help with config links is appreciated.
Thanks inadvance
MS
Solved! Go to Solution.
01-06-2008 12:21 PM
"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP
access? "
Upsolutely possible and best to do it as you have thought it out.
If I understand correctly: please correct me otherwise !
1-You have ASA5510, outside interface with Public IP 2.2.2.2/30
2-ISP router with IP 2.2.2.1/30
3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24
You may well do the following if you do not have inside interface IP configured.
1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.
i-10.0.0.0 through 10.255.255.255
ii-172.16.0.0 through 172.31.255.255
iii-192.168.0.0 through 192.168.255.255
assume you have for inside interface 172.16.1.1/24
so you have :
ASA5510 outside interface IP: 2.2.2.2/30
ASA5510 inside interface IP : 172.16.1.1/24
for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT
translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.
As said, simply create your static nat using new public IP address, you may also create
global nat pools if needed.
e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host
static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0
access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389
access-group outside_access_in in interface outside
e.g for creating additional global pools using new IP range PAT.
global (outside) 2 1.1.1.50-1.1.1.74
global (oustide) 2 1.1.1.75
Rgds
Jorge
01-06-2008 12:21 PM
"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP
access? "
Upsolutely possible and best to do it as you have thought it out.
If I understand correctly: please correct me otherwise !
1-You have ASA5510, outside interface with Public IP 2.2.2.2/30
2-ISP router with IP 2.2.2.1/30
3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24
You may well do the following if you do not have inside interface IP configured.
1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.
i-10.0.0.0 through 10.255.255.255
ii-172.16.0.0 through 172.31.255.255
iii-192.168.0.0 through 192.168.255.255
assume you have for inside interface 172.16.1.1/24
so you have :
ASA5510 outside interface IP: 2.2.2.2/30
ASA5510 inside interface IP : 172.16.1.1/24
for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT
translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.
As said, simply create your static nat using new public IP address, you may also create
global nat pools if needed.
e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host
static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0
access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389
access-group outside_access_in in interface outside
e.g for creating additional global pools using new IP range PAT.
global (outside) 2 1.1.1.50-1.1.1.74
global (oustide) 2 1.1.1.75
Rgds
Jorge
01-06-2008 03:57 PM
Hi Jorge,
You have 100% perfectly got my question and provided me with perfect and very helpful idea. Thanks alot.
MS
01-06-2008 05:57 PM
Mehboob, you're welcome and thank you for the rating.. Im sure all will be good at your end, and netpro/forum will always be here to assist.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide