04-10-2008 08:13 AM - edited 03-11-2019 05:29 AM
Dear Sir,
I have a question regarding NAT on Cisco ASA firewall version 7.2
I want to add ASA 5520 to my existing network, the purpose of this device is to perform only NAT to server inside my network
PIX 515-----
|
ASA5520 ---- Cisco 6509 Switch
The problem is that the default route in cisco 6509 is the PIX515, and I will not able to configure an addition default gate way to be the ASA5520.
I am think to configure NAT to translate the source of the traffic that intering the ASA from internet to a private pool, so I can configure static route to this pool in the 6509 switch.
So is it possible to do that.
In other meaning the purpose of the NAT will be:
1)Allow the external users to access the server from internet (publish the server to real IP)
2)Translate the source of the external users to internal pool
Solved! Go to Solution.
04-10-2008 12:10 PM
YW ..
->> Is it secure to translate from outside to inside?
Sure, not an issue.
Regards,
Vibhor.
04-10-2008 08:14 AM
the Network will be ass follow:
PIX---------
|--6509
ASA---------
04-10-2008 08:46 AM
I think your network is like this-
----Internet----
| |
ASA PIX
|-----6509-----|
|
Server
Assuming servers private IP is x.x.x.x and public IP mapping is to y.y.y.y, you
can apply following commands on ASA-
static (inside,outside) y.y.y.y x.x.x.10
access-list outin permit tcp any host y.y.y.y eq 80
access-group outin in interface outside
//Assuming that inside server is a webserver, else change the ACL accordingly.
access-list nat-outside permit ip any host y.y.y.y
nat (outside) 10 access-list nat-outside outside
global (inside) 10 x.x.x.20
Now anyone trying to access x.x.x.10 server through ASA, will get translated to
x.x.x.20 and replies will go through ASA. Hope this helps.
Regards,
Vibhor.
04-10-2008 08:53 AM
thank you for your concerns,
assume the real server IP is 1.2.3.4
server IP 172.16.1.10
internal Pool: 192.168.1.0/24
now i want when a user in the internet try to access the internal server, the source IP of packets when enter the ASA be translated to 192.168.1.0/24, and the destination be translated to 172.16.1.10.
so in 6509 i can translate static route to 192.168.1.0/24 through the ASA
04-10-2008 10:44 AM
Following will translate the server from its real IP of 1.2.3.4 to 172.16.1.10 on outside interface.
static (inside,outside) 172.16.1.10 1.2.3.4
Outside users, when trying to access 172.16.1.10, will get translated to 192.168.1.0-254 addresses.
access-list nat-outside permit ip any host 172.16.1.10
nat (outside) 10 access-list nat-outside outside
global (inside) 10 192.168.1.1-192.168.1.253
global (inside) 10 192.168.1.254
HTH.
Regards,
Vibhor.
04-10-2008 12:08 PM
Thank you Vibhor,
Is it secure to translate from outside to inside.
Regards
04-10-2008 12:10 PM
YW ..
->> Is it secure to translate from outside to inside?
Sure, not an issue.
Regards,
Vibhor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide