cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1303
Views
0
Helpful
2
Replies

ASA NAT Question

cyoung1981
Level 1
Level 1

I'm still figuring out NAT in the post 8.2 world. This question is a two parter. First. I have configured SSL VPN and and have the no nat setup like this.....

 

nat (inside,outside) source static INTERNAL INTERNAL destination static VPN VPN no-proxy-arp route-lookup

Since INTERNAL and VPN are object groups is static correct here? Or should it be dynamic?

Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?

 

object network SUB1
 range 1.1.1.1 1.1.1.250
!
object network SUB2
 range 2.2.2.1 2.2.2.250
!
object-group network ONE-ONE
 network-object object SUB1
network-object object SUB2
!
nat (inside,outside) source static ONE-ONE destination static ONE-ONE

or would it be like the no nat for vpn and be like this?

nat (inside,outside) source static ONE-ONE ONE-ONE destination static ONE-ONE ONE-ONE

or am i over thinking this and it really just needs to be?

object-group network ONE-ONE
nat static ONE-ONE
2 Replies 2

You first statement is correct and for 2nd use the same vpn nat

Your identity NAT statement (aka no NAT) is correct.

 

Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?

 

I am not sure I understand what you are trying to achieve here. Are these public IPs configured on the ASAs themselves and are just to be routed through this internet firewall?

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card