cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1073
Views
0
Helpful
14
Replies
dfariborz
Beginner

How to do inbound NAT in ASA v8.2

Hello

Due to shortage of public addresses we would like to take advantage of inbound NAT (from internet to the internal network) using the public interface of the ASA, is that possible for the following topology? If so please also provide configuration guide line.

Local SMTP server listening on TCP 25 <------ Cisco ASA <------ internet <----- Remote SMTP server

Please note we do NAT overload for the configuration and that works.

Local SMTP server ------> Cisco ASA ------> internet -----> Remote SMTP server listening on TCP 25 

 Thanks in advance

Darius.Fariborz@cgi.com

14 REPLIES 14
Philip D'Ath
Advisor

Yes, and there is more than one way.  My preference is to use object NAT.

object network smtp-server
 host <internal IP address>
object network smtp-server
 nat (inside,outside) static <public ip address> service tcp smtp smtp

Thank you chaps. We shall try in a few weeks time and will let you know.

Cheers

Darius

 

Hi Philip/Guys

I am having some issue with ASA NAT, we are using Access-List to Translate many Private Pools to Single Public IP on Router, and now I want to move all NAT to ASA 5510. Which exact NAT type will serve my task. 

ip nat inside source list ABC interface FastEthernet0/0 overload

ABC ( Have Multiple Private IP Subnets), 

There is more than one way of doing this.  I personally like using object NAT.

This is an example that will NAT anything in the 192.168.0.0/16 range.  You can create as many copies of this as you want, one for each internal network.

object network internal1-network
 subnet 192.168.0.0 255.255.0.0
object network internal1-network
 nat (any,outside) dynamic interface

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

If you want to NAT to a specific IP address interface of the outside interface IP address then use:

object network internal1-network
 nat (any,outside) dynamic a.b.c.d

Hi Philip

Just down with below config, am I good to go

object network Internal-Network
subnet 192.168.0.0 255.255.0.0
ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (any) to (OUTSIDE) source dynamic Internal-Network interface
translate_hits = 0, untranslate_hits = 0
ciscoasa#

route OUTSIDE 0.0.0.0 0.0.0.0 x.y.z.z 1

Give it a try.  I've never used auto-NAT.

Well I used IP instead of Interface, but then it refused as IP is already used by Interface, that is my outside interface

If you specify an IP address it has to be one on the outside interface not in use.  If you want to use the actual interface IP address, then use the example I gave, exactly.

Here is it - again.

object network internal-network
 nat (any,outside) dynamic interface

Hi Philip

It is on outside interface

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address X>X>X> Y>Y>Y>Y
ciscoasa#

Thanks Philip,

I will elaborate more, what we are required. 

Currently using CISCO Router for NAT, with FE0/0 and FE0/0.1, FE0/0.2, FE0/0.3 with having separate IP Sub-net such as 192.168.1.0/24, 192.168.10.0/24,192.168.20.0/24 and NAT is done via ACCESS LIST.

Let me share my current router config.

- ip nat inside source list GAX interface FastEthernet0/0 overload

- ip access-list extended GAX
- permit tcp any host 192.168.1.141 eq 902
- permit tcp any host 192.168.1.143 eq 5060
- permit ip 192.168.1.0 0.0.0.255 any
- permit ip 192.168.50.0 0.0.0.255 any
- permit ip 192.168.10.0 0.0.0.255 any

 

interface FastEthernet0/1
description USERS
no ip address
ip access-group 109 in
ip nat inside
ip inspect GAX in
ip inspect GAX out
ip virtual-reassembly
rate-limit input 15000000 2812500 2812500 conform-action transmit exceed-action drop
rate-limit output 15000000 2812500 2812500 conform-action transmit exceed-action drop
load-interval 30
duplex full
speed 100
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 1000
!
interface FastEthernet0/1.20
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.33
encapsulation dot1Q 33
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.50
description XXXXXXXX
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly

Now I did create sub-interface/VLAN on ASA Firewall, but still unable to NAT all to one Public IP.

Please suggest as per scenario.

The one object will do it just fine.

object network internal-network
 subnet 192.168.0.0 255.255.0.0
object network internal-network
 nat (any,outside) dynamic interface
Philip D'Ath
Advisor

Also note that 8.2 is pretty old code now.  You should consider upgrading to 9.x software on your ASA.

Tom K
Beginner

static (inside,outside) tcp interface 25 <INSIDE IP> 25 netmask 255.255.255.255

access-list acl_out extended permit tcp any host <PUB IP OF ASA> eq 25

This will use the Public IP of the ASA and map port 25 to the inside IP Address.

You may need to adjust the name of the outside ACL or your interface nameif's to match yours. 

Content for Community-Ad