cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
2
Replies

ASA NAT and Routing question

trichcco
Level 1
Level 1

Hello,

I have a question about NAT and routing on the ASA. I am relatively new to ASA and am not sure if this will work or not. I have a pool of public IP's (209.x.x.x/28) that my ISP is routing to the external interface of my ASA. The IP they have assigned for the outside of the ASA is a 206.x.x.2/24 address with a default GW of 206.x.x.1. I plan on using NAT to allow my web/mail servers to be reached on the DMZ (192.168.x.x) using the 209.x.x.x addresses. However, I am not sure how to make this work since I am not arping on any interface for the 209.x.x.x addresses as they will be routed to the 206.x.x.2 address by the ISP. Do I just setup a NAT translation (on the external interface?) from the 209.x.x.x to the 192.168.x.x address and the ASA will figure it out?

Thanks for the help.

Todd

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

View solution in original post

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

Thank you for your response.

However that is what I am confused about. The ASA will not be able to arp on the external int for the 209.x.x.x addresses, as the ISP is routing them to the 206.x.x.2 (ie: it expects the 206.x.x.2 to be a router..). So even if it does not arp directly on the external interface for the 209.x.x.x address, will it be able to nat it then route to my dmz?

Thank you,

Todd

Review Cisco Networking for a $25 gift card