Re: ASA NAT question

hanimolani · ‎05-05-2010

Dear all

I have a ip valid range from my isp

I want to nat my inside users to ip vaid range with dynamic NAT

my outside asa interface has one of these ip valids to see outside world

but the other ip in my range do not belong to any devices..

how is it possible that my clients nat to my all ip range

also i have a web server in my dmz

i want also make a static but i do not know how can i bind an valid ip into non valid ip

i mean i do not know whre this valid ip must be set!!

thank you

Federico Coto Fajardo · ‎05-05-2010

Hi,

Please post the output from:

sh run nat

sh run global

sh run static

And let us know which are the real IPs that you want to NAT to which mapped IPs.

Federico.

astripat · ‎05-05-2010

Hi,

Lets say that the ISP has provided the following range:

1.1.1.1-1.1.1.10

And, 1.1.1.1 is assigned to the outside interface. Also, 10.10.10.1 is the dmz web server which you want to publish to the outside world.

You can do the following:

nat (inside) 1 0 0

global (outside) 1 interface

static (dmz,outside) 1.1.1.2 10.10.10.1

access-list outside_access_in permit tcp any host 1.1.1.2 eq 80

access-group outside_access_in in interface outside

HTH

Ashu

iliafirewall · ‎05-06-2010

umm..

I think there is miss understanding

the problem is that i have a valid range from my ISP

i want make a nat from my inside network to whole range

but the problem is only one ip from that range is assigned to my outside interface and rest od IP are not assign to any machine or any device

how can make a dynamic nat to this range according that no device or machine assigned to these IP addressess.

by the way my ASA verssion is 8.3.1

regards

peter.kersting · ‎05-06-2010

Hi Hani

If my understanding of the question is correct you want to NAT inside hosts to public IPs in the range assigned to you
by your ISP?

If so you can do it like this:

global (outside) 1 1.1.1.1-1.1.1.10

nat (inside) 1 0 0

If you have more inside clients than public IPs, probably best to aslo include a fallback to PAT using the outside interface address:

global (outside) 1 interface

Pete

hanimolani · ‎05-07-2010

Dear pete

My problem is where the range IP address must be set?

because these ip valid range address do not belong any thing into my network

thanks

Jennifer Halim · ‎05-07-2010

If you would like to use that new IP range for dynamic NAT for your internal users, then you would configure it on the "global (outside)" statement.

Just have to make sure that the router in front of your ASA (connected to the outside interface of the ASA), is routing the new IP range towards the ASA outside interface.