Help with NAT configuration on ASA

rwiechman · ‎08-14-2011

I have a current ASA (5540, 8.3(2)) that is running in routed

mode, doing a VPN endpoint as well as a wirewall for another

inside network. They use the single public IP address

that is on the outside interface, which carries the

default route.

I want to add a NAT configuration to yet another inside

network using a block of outside addresses. I've created

the inside and outside network objects and dynamic NAT between

them. I'm currently using a built-in dhcp server for the

inside nat block.

I've created an inside interface with the network object for the

inside network, which properly assigns a dhcp address. I also

created an outside interface for that network object.

My question is this: Will the outside NATed address traffic egress

from the single outside default route, or will it use the

defined outside interface? I can deal with it either way, but

my upstream router will need a static route for the new outside

range to send the inbound traffic. Or is it possible to use

a routemap? I'm fine with just using the default route if

that is easiest. Do I even need the outside NAT interface?

Another question, is how to direct dhcp requests from the inside

NAT to an external server to overcome the limitations of the

built-in server. (single /24, I need to define a /19 pool)

Anu M Chacko · ‎08-14-2011

Hi Roger,

I'm not that clear with the first question. The traffic from your inside network will take an interface to exit depending on a lot of checks like NAT, route lookup,etc. So, if the route that you've specified for traffic going out goes like "route outside 0 0 ", then this route will be taken for all traffic destined to a network on the outside of the firewall, unless you have a more specific route(i.e. with more specific destination IP addresses/networks).

When the reply comes back, the upstream router will send it to the ASA as long as it proxy ARPs for the destination IP address in the reply packet.

For the second question, you can have the ASA be configured for DHCP relay. Here's a link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html#wp1170898

Hope this helps!

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.

rwiechman · ‎08-14-2011

Anu,

Thanks. I think you answered my question, even though I may not have been clear.

I had similar issues (in my head anyway) when I was setting up the vpn terminus.

It seems like I don't need an outside interface for the traffic at all. It will just

use the already defined default outside interface. The upstream router would

have an appropriate static route.

As to DHCP, I do already use it for another inside interface, and the NATed inside

will be using the same server. The server should know which network the request

comes from in the proxy request and provide a response that is appropriate.

One other quick question. If I need to reserve a dozen or so inside addresses from

this same inside network for fixed addresses, can I map these as static as a group,

or will they need to be individual network objects? I can refine the dynamic nat objects

to exclude these addresses.

Roger

Anu M Chacko · ‎08-15-2011

Hi Roger,

If you need to statically assign addresses one-to-one, then you should use individual network objects. Here's a link that might be useful:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1105818

Hope this helps!

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.