03-03-2017 10:50 AM - edited 03-12-2019 02:00 AM
can i configure the ASA outside interface public ip as static nat for one of the inside servers
Solved! Go to Solution.
03-03-2017 11:54 AM
This is not a good practice and if you do that then ASA's outside interface IP address will only be bounded to that particular server's internal IP address and cannot be taken in use for anything else as static nat is one to one nat and it may affect the internet traffic. But yes that depends upon your topology too.
In case, you do not have much free public IP addresses and needs to use outside interface IP address, then you can also check regular static PAT which is also static in nature but port based. For eg : If you have webserver, then you can bound port 80 of outside's public IP address for your server.
Below is the link which can give you more information about static PAT:
Till 8.2:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html
For 8.3 and above:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html#wp1106703
from CLI:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Please rate if this resolves your concern/issue.
Regards
Tripat Kaur
03-03-2017 11:54 AM
This is not a good practice and if you do that then ASA's outside interface IP address will only be bounded to that particular server's internal IP address and cannot be taken in use for anything else as static nat is one to one nat and it may affect the internet traffic. But yes that depends upon your topology too.
In case, you do not have much free public IP addresses and needs to use outside interface IP address, then you can also check regular static PAT which is also static in nature but port based. For eg : If you have webserver, then you can bound port 80 of outside's public IP address for your server.
Below is the link which can give you more information about static PAT:
Till 8.2:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html
For 8.3 and above:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html#wp1106703
from CLI:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Please rate if this resolves your concern/issue.
Regards
Tripat Kaur
03-03-2017 08:39 PM
thanks for the info.
Being said that still we can Nat outside interface ip, can we pass the outside Nat Interface ip in site 2 site vpn ? again we will using outside interface ip as vpn peer ip, is this possible ?
03-07-2017 02:56 PM
If you wish to configure S2S VPN on ASA with its outside interface's IP address as a peer device IP then it should not be an issue since IKE phase 1 uses UDP 500. If the the peers are behind NAT device then NAT Traversal comes into the picture where they discover that they are connected through a NAT device somewhere, they will use UDP 4500 for IKE phase 1.
So, make sure that you do not have configure PAT related to these ports otherwise it can create issues.
Once the tunnel is up, the intended traffic (proxy ids) are matched for Phase 2 and along with the rest of the parameters.
The good practice recommends to allow "ip" traffic between VPN subnets and MUST have no-nat (nat exemption) configured on the ASA.
I hope this answers your question.
Regards
Tripat Kaur
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide