cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
6
Replies

ASA ISP Interface Setup

edw
Level 1
Level 1

Hi,

 

I have a ASA and tried to remove my external router which we have had for very long time. My main ISP connection work as follows (real IPs not used but the principle the same):

 

192.168.1.104 55.255.255.248 GW: 192.168.1.105

 

The IP NAT ranges for my clients is:

192.168.5.0 255.255.252.0

 

How do I get this configured on a ASA interface ? I have set the interface to have an IP address of 192.168.1.107 and a route of 0.0.0.0 0.0.0.0 192.168.1.105

 

I added a object group etc for NAT using a range like 192.168.5.241 192.168.5.245. But while this translation is happening according to the ASA I'm not getting any traffic out, for instance can't ping 8.8.8.8 etc??? Can't seem to find any examples of similar configurations even thou there must be some as this is pretty standard ISP configuration....

 

Thanks

 

Ed

6 Replies 6

Dennis Mink
VIP Alumni
VIP Alumni

so what is supposed to do the NAT?  your firewall or some ISP device in front of it?

 

where is the 55. public IP?  is that what you configured on the outside interface of your ASA?

 

if so, you need to do a dynamic nat (aka nat overload) from your internal subnet to the public IP.

 

and a static default route on your ASA to point to your ISP.

 

if this is not concise maybe add a small diagram of your set up

Please remember to rate useful posts, by clicking on the stars below.

Thanks - The internal IPs are on the 10.1.x.x 255.255.255.0. We are needing to NAT to the 192.168.5.0 255.255.252.0. The ISP has a sub network so the external interface is 192.168.1.107 and GW 192.168.1.105. This is going straight to the ISP. All the 192.168.x.x IP's are internet routable.

 

I'm using NAT to do 10.1.x.x -> 192.168.5.0/22. But I don't appear to be getting any internet traffic. I know this setup work as I have a similar NAT on a router (which I'm trying to get rid of) so the connection or ISP isn't the issue. My question is that under this configu who do you do it on a ASA implementation of doing NAT onto of another public subnet.. if that makes sense.

 

 

Jesper Erbs
Level 1
Level 1

Hi,

 

Did you define a nameif and security level?

 

A quick simple config would normally look like this:

 

interface <inside-interface>

security-level 100

nameif inside

ip address 192.168.5.104 255.255.255.0

 

interface <outside-interface>

security-level 0

nameif outside

ip address 192.168.1.104 255.255.255.248

 

route outside 0.0.0.0 0.0.0.0 192.168.1.105

nat (inside,outside) source dynamic any interface

Thanks - The internal IPs are on the 10.1.x.x 255.255.255.0. We are needing to NAT to the 192.168.5.0 255.255.252.0. The ISP has a sub network so the external interface is 192.168.1.107 and GW 192.168.1.105. This is going straight to the ISP. All the 192.168.x.x IP's are internet routable.

 

I'm using NAT to do 10.1.x.x -> 192.168.5.0/22. But I don't appear to be getting any internet traffic. I know this setup work as I have a similar NAT on a router (which I'm trying to get rid of) so the connection or ISP isn't the issue. My question is that under this configu who do you do it on a ASA implementation of doing NAT onto of another public subnet.. if that makes sense.

edw
Level 1
Level 1
Anyone? :)

If I understand you correctly, you want to do static one to one NAT.

 

10.1.5.2 -> 192.168.5.2

10.1.5.3 -> 192.168.5.3

10.1.5.3 -> 192.168.5.3

And so forth.

 

An example of that would be:

 

object network 10.1.5.0-24

subnet 10.1.0.0 255.255.255.0

object network 192.168.5.0-24

subnet 192.168.5.0 255.255.255.0

 

nat (inside,outside) source static 10.1.5.0-24 192.168.5.0-24

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: