07-11-2018
03:04 AM
- last edited on
02-21-2020
11:35 PM
by
cc_security_adm
Hi,
I have a ASA and tried to remove my external router which we have had for very long time. My main ISP connection work as follows (real IPs not used but the principle the same):
192.168.1.104 55.255.255.248 GW: 192.168.1.105
The IP NAT ranges for my clients is:
192.168.5.0 255.255.252.0
How do I get this configured on a ASA interface ? I have set the interface to have an IP address of 192.168.1.107 and a route of 0.0.0.0 0.0.0.0 192.168.1.105
I added a object group etc for NAT using a range like 192.168.5.241 192.168.5.245. But while this translation is happening according to the ASA I'm not getting any traffic out, for instance can't ping 8.8.8.8 etc??? Can't seem to find any examples of similar configurations even thou there must be some as this is pretty standard ISP configuration....
Thanks
Ed
07-11-2018 04:13 AM - edited 07-11-2018 04:14 AM
so what is supposed to do the NAT? your firewall or some ISP device in front of it?
where is the 55. public IP? is that what you configured on the outside interface of your ASA?
if so, you need to do a dynamic nat (aka nat overload) from your internal subnet to the public IP.
and a static default route on your ASA to point to your ISP.
if this is not concise maybe add a small diagram of your set up
07-11-2018 05:40 AM
Thanks - The internal IPs are on the 10.1.x.x 255.255.255.0. We are needing to NAT to the 192.168.5.0 255.255.252.0. The ISP has a sub network so the external interface is 192.168.1.107 and GW 192.168.1.105. This is going straight to the ISP. All the 192.168.x.x IP's are internet routable.
I'm using NAT to do 10.1.x.x -> 192.168.5.0/22. But I don't appear to be getting any internet traffic. I know this setup work as I have a similar NAT on a router (which I'm trying to get rid of) so the connection or ISP isn't the issue. My question is that under this configu who do you do it on a ASA implementation of doing NAT onto of another public subnet.. if that makes sense.
07-11-2018 04:58 AM
Hi,
Did you define a nameif and security level?
A quick simple config would normally look like this:
interface <inside-interface>
security-level 100
nameif inside
ip address 192.168.5.104 255.255.255.0
interface <outside-interface>
security-level 0
nameif outside
ip address 192.168.1.104 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.1.105
nat (inside,outside) source dynamic any interface
07-11-2018 05:41 AM
Thanks - The internal IPs are on the 10.1.x.x 255.255.255.0. We are needing to NAT to the 192.168.5.0 255.255.252.0. The ISP has a sub network so the external interface is 192.168.1.107 and GW 192.168.1.105. This is going straight to the ISP. All the 192.168.x.x IP's are internet routable.
I'm using NAT to do 10.1.x.x -> 192.168.5.0/22. But I don't appear to be getting any internet traffic. I know this setup work as I have a similar NAT on a router (which I'm trying to get rid of) so the connection or ISP isn't the issue. My question is that under this configu who do you do it on a ASA implementation of doing NAT onto of another public subnet.. if that makes sense.
07-11-2018 11:45 AM
07-11-2018 01:03 PM
If I understand you correctly, you want to do static one to one NAT.
10.1.5.2 -> 192.168.5.2
10.1.5.3 -> 192.168.5.3
10.1.5.3 -> 192.168.5.3
And so forth.
An example of that would be:
object network 10.1.5.0-24
subnet 10.1.0.0 255.255.255.0
object network 192.168.5.0-24
subnet 192.168.5.0 255.255.255.0
nat (inside,outside) source static 10.1.5.0-24 192.168.5.0-24
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide