Solved: can i configure the ASA outside interface public ip as static nat for one of the inside servers

Manjunath S Chickmath · ‎03-03-2017

can i configure the ASA outside interface public ip as static nat for one of the inside servers

trdatta · ‎03-03-2017

This is not a good practice and if you do that then ASA's outside interface IP address will only be bounded to that particular server's internal IP address and cannot be taken in use for anything else as static nat is one to one nat and it may affect the internet traffic. But yes that depends upon your topology too.

In case, you do not have much free public IP addresses and needs to use outside interface IP address, then you can also check regular static PAT which is also static in nature but port based. For eg : If you have webserver, then you can bound port 80 of outside's public IP address for your server.

Below is the link which can give you more information about static PAT:

Till 8.2:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html

For 8.3 and above:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html#wp1106703

from CLI:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please rate if this resolves your concern/issue.

Regards

Tripat Kaur

View solution in original post

trdatta · ‎03-03-2017

This is not a good practice and if you do that then ASA's outside interface IP address will only be bounded to that particular server's internal IP address and cannot be taken in use for anything else as static nat is one to one nat and it may affect the internet traffic. But yes that depends upon your topology too.

In case, you do not have much free public IP addresses and needs to use outside interface IP address, then you can also check regular static PAT which is also static in nature but port based. For eg : If you have webserver, then you can bound port 80 of outside's public IP address for your server.

Below is the link which can give you more information about static PAT:

Till 8.2:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html

For 8.3 and above:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html#wp1106703

from CLI:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please rate if this resolves your concern/issue.

Regards

Tripat Kaur

Manjunath S Chickmath · ‎03-03-2017

thanks for the info.

Being said that still we can Nat outside interface ip, can we pass the outside Nat Interface ip in site 2 site vpn ? again we will using outside interface ip as vpn peer ip, is this possible ?

trdatta · ‎03-07-2017

If you wish to configure S2S VPN on ASA with its outside interface's IP address as a peer device IP then it should not be an issue since IKE phase 1 uses UDP 500. If the the peers are behind NAT device then NAT Traversal comes into the picture where they discover that they are connected through a NAT device somewhere, they will use UDP 4500 for IKE phase 1.

So, make sure that you do not have configure PAT related to these ports otherwise it can create issues.

Once the tunnel is up, the intended traffic (proxy ids) are matched for Phase 2 and along with the rest of the parameters.

The good practice recommends to allow "ip" traffic between VPN subnets and MUST have no-nat (nat exemption) configured on the ASA.

I hope this answers your question.

Regards

Tripat Kaur