Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
2
Replies

ASA NAT and Routing question

Go to solution
trichcco
Level 1
Level 1

‎02-10-2006 08:10 AM - edited ‎02-21-2020 12:42 AM

Hello,

I have a question about NAT and routing on the ASA. I am relatively new to ASA and am not sure if this will work or not. I have a pool of public IP's (209.x.x.x/28) that my ISP is routing to the external interface of my ASA. The IP they have assigned for the outside of the ASA is a 206.x.x.2/24 address with a default GW of 206.x.x.1. I plan on using NAT to allow my web/mail servers to be reached on the DMZ (192.168.x.x) using the 209.x.x.x addresses. However, I am not sure how to make this work since I am not arping on any interface for the 209.x.x.x addresses as they will be routed to the 206.x.x.2 address by the ISP. Do I just setup a NAT translation (on the external interface?) from the 209.x.x.x to the 192.168.x.x address and the ASA will figure it out?

Thanks for the help.

Todd

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎02-10-2006 09:22 AM

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎02-10-2006 09:22 AM

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

0 Helpful

Go to solution
trichcco
Level 1
Level 1
In response to gfullage

‎02-10-2006 05:18 PM

Thank you for your response.

However that is what I am confused about. The ASA will not be able to arp on the external int for the 209.x.x.x addresses, as the ISP is routing them to the 206.x.x.2 (ie: it expects the 206.x.x.2 to be a router..). So even if it does not arp directly on the external interface for the 209.x.x.x address, will it be able to nat it then route to my dmz?

Thank you,

Todd

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card