10-04-2010 11:04 PM - edited 03-11-2019 11:50 AM
Hi everyone!
My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.
We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.
We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.
The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses.
All other hosts should use PAT through x.x.x.13.
Thanks a lot in advance.
Solved! Go to Solution.
10-04-2010 11:19 PM
Hi Orhan,
I did not quite understand your exact requirement, is the below mentioned requirement? :
y.y.y.146 --------> x.x.x.10
y.y.y.70 --------> .x.x.x.11
If the above is the requirement, you need the following config:
object network obj-y.y.y.146
host y.y.y.146
nat (inside,outside) static x.x.x.10
object network obj-y.y.y.70
host y.y.y.70
nat (inside,outside) static x.x.x.11
More info on comparision of pre-8.3 nat to 8.3 for your reference: https://cisco-support.hosted.jivesoftware.com/docs/DOC-9129
Let me know if this helps,
Cheers,
Rudresh V
10-05-2010 03:05 AM
Hi ,
Yes we can make the following changes
object network obj-y.y.y.146 host y.y.y.146
nat (inside,outside) dynamic x.x.x.10
object network obj-y.y.y.70
host y.y.y.70
nat (inside,outside) dynamic x.x.x.10
object network obj_any subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic x.x.x.13
We cannot put both the y.y.y.146 and y.y.y.70 under one object. But we can NAT them to the same IP x.x.x.10
Cheers,
Namit
10-05-2010 07:08 AM
Hi ,
Please add the following entry in the ACL on the outside interface and try once again.
access-list outside_access_in extended permit ip host 95.86.133.30 any
access-list outside_access_in extended permit esp host 95.86.133.30 any
access-group outside_access_in in interface outside
Thanks,
Namit
10-08-2010 03:59 AM
Hi,
Please change the following in the config
From
object network mdo0003
nat (inside,outside) static 81.21.95.10
object network mdo0005
nat (inside,outside) static 81.21.95.10
To
object network mdo0003
nat (inside,outside) dynamic 81.21.95.10
object network mdo0005
nat (inside,outside) dynamic 81.21.95.10
Since we want both the IPs to be translated to 81.21.95.10
Let me know if this helps
Thanks,
Namit
10-04-2010 11:19 PM
Hi Orhan,
I did not quite understand your exact requirement, is the below mentioned requirement? :
y.y.y.146 --------> x.x.x.10
y.y.y.70 --------> .x.x.x.11
If the above is the requirement, you need the following config:
object network obj-y.y.y.146
host y.y.y.146
nat (inside,outside) static x.x.x.10
object network obj-y.y.y.70
host y.y.y.70
nat (inside,outside) static x.x.x.11
More info on comparision of pre-8.3 nat to 8.3 for your reference: https://cisco-support.hosted.jivesoftware.com/docs/DOC-9129
Let me know if this helps,
Cheers,
Rudresh V
10-04-2010 11:32 PM
Hi ,
You can configure NAT as follows :
object network obj-x.x.x.10 host x.x.x.10 nat (inside,outside) static y.y.y.146 object network obj-x.x.x.11 host x.x.x.11 nat (inside,outside) static y.y.y.70.object network obj_any subnet 0.0.0.0 0.0.0.0Regards,
nat (inside,outside) dynamic x.x.x.13
Namit
10-05-2010 12:05 AM
Hi, everyone!
Thank you for your answers.
My idea actually was as follows:
Create a group , consisting of 2 internal hosts y.y.y.146 and y.y.y.70.
Allow this group to use 1 external address ( for example x.x.x.10) through NAT.
Internal hosts will not connect to the internet simultaneously, so I think 1 external address is enough.
May be it can be done using ACL? (not quite sure about this).
10-05-2010 02:24 AM
Hi,
So what we are trying to achieve here is
internal host y.y.y.146 > translated to public IP x.x.x.10
internal host y.y.y.70 > translated to public IP x.x.x.11
and other internal hosts translated to public IP x.x.x.13
Please correct me if I am wrong.
Thanks,
Namit
10-05-2010 02:27 AM
Hi, Namit!
Yes you are completely right.
Just a quick comment: is it possible to make a group of internal hosts use 1 public ip?
Appreciate your help.
10-05-2010 02:34 AM
Hi,
We can definitely do that. We can use the following config
object network obj-y.y.y.0
subnet y.y.y.0 255.255.255.0
nat (inside,outside) dynamic x.x.x.10
object network obj_any subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic x.x.x.13
The first part means the subnet y.y.y.0/24 will be translated to the IP address x.x.x.10
The second part means rest all the traffic will be translated to the IP address x.x.x.13
Cheers,
Namit
10-05-2010 02:39 AM
Namit,
thanks for the answer.
We have got only one internal subnet: y.y.y.0/24
I need the following:
host y.y.y.146 and host y.y.y.70 to be included into group and translated into x.x.x.10 or x.x.x.11.
rest of the hosts from y.y.y.0/24 subnet will be translated dynamically to x.x.x.13
10-05-2010 02:55 AM
Forgot to add: connection must be initiated only from inside hosts. No
inbound connection from addresses behind the outside interface (exce
pt 1 specific address) should be allowed.
10-05-2010 03:05 AM
Hi ,
Yes we can make the following changes
object network obj-y.y.y.146 host y.y.y.146
nat (inside,outside) dynamic x.x.x.10
object network obj-y.y.y.70
host y.y.y.70
nat (inside,outside) dynamic x.x.x.10
object network obj_any subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic x.x.x.13
We cannot put both the y.y.y.146 and y.y.y.70 under one object. But we can NAT them to the same IP x.x.x.10
Cheers,
Namit
04-19-2011 10:50 AM
Hi,
I saw your response below. I have a similar requirement and also running into the same "overlap with existing pool" issue.
My question is, can't we create an object-group network and add the different object networks for the different hosts into the object-group network? Then create a NAT statement for the object-group.
Example.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 64.136.55.62 255.255.255.192
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.180.4.254 255.255.255.0
object network host1
host 10.182.1.21
object network host2
host 10.182.1.22
object-group network Group_1
network-object object host1
network-object object host1
nat (dmz,outside) source dynamic Group_1 64.136.55.12 <------------------Not the Outside interface IP - we get an error if we do this...
10-05-2010 05:49 AM
Thanks for the advise, everything set up as advised and hosts requests are translated correctly.
The problem is, as I described a few days ago in https://supportforums.cisco.com/thread/2044300
There is a Cisco VPN Client installed on both of the hosts (y.y.y.146 and y.y.y.70) and there is a IPsec VPN connection to external host 95.86.133.30 set up.
VPN Client establishes the connection and the a website is opened (you can see topology in thread which I gave link to above) https://172.23.19.5:7777/accr/ in internet explorer. But, unfortunately, IE shows "cannot display the webpage" error. When the connection is done using direct internet connection (using ADSL Modem or by using public IP on the provider switch (again as I have written in the thread referenced above) everything works ok.
Syslog is attached. I think some ACL must be created, but due to lack of knowledge, I cannot determine what rule to create to solve the issue.
Thanks in advance!
10-05-2010 06:12 AM
Hi ,
Glad that the NAT worked out fine. Regarding the other problem I see that the other thread is marked as answered. Did you enable NAT-T as suggested there or use a Static IP ?
Thanks,
Namit
10-05-2010 07:00 AM
Hey Namit,
Unfortunately, NAT-T is disabled on the other side and taking into account that we are unable to alter the configuration on the PIX Firewall (other side) I used the suggestion which was provided in the other thread to use a static NAT. That was actually the reason I started this thread.
Have you reviewed the syslog I attached to my previous post? Probably, the reason for the whole set up not working (Static NAT works, Cisco VPN client on the client machine is able to connect to the remote PIX, but we are not able to open the website which is behind the PIX firewall) can be seen in the syslog.
As I have written in my previous post I think that some sort of ACL must implemented.
Please advise after you see the syslog.
Many thanks.
10-05-2010 07:08 AM
Hi ,
Please add the following entry in the ACL on the outside interface and try once again.
access-list outside_access_in extended permit ip host 95.86.133.30 any
access-list outside_access_in extended permit esp host 95.86.133.30 any
access-group outside_access_in in interface outside
Thanks,
Namit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide