Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1241
Views
0
Helpful
3
Replies

NAT for Internal ASA Firewall

Bali Khan
Level 1
Level 1

‎03-07-2017 04:14 AM - edited ‎03-12-2019 02:01 AM

Hi - I am new to ASA firewalls and need help. My company is using two firewalls. Internal is ASA and external is Checkpoint.

I have an issues with internal host 10.20.50.47 trying to reach destination IP 10.10.0.100 (internal company server) and external Server 95.x.x.x.on port 25

Source: 10.20.50.47 (connected to inside interface)

Internal Destination:  10.10.0.100 (reachable via outside interface, static default route in place)

external Destination: 95.x.x.x (reachable via outside interface, static default route in place)

FIREWALL ASA# sh ip
FW_Outside           outside              10.30.50.33     security-level 0  
FW_Inside              inside                10.20.50.45     security-level 100

There is a static default rule towards outside interface

The internal host 10.20.50.47 is being monitored from outside as well and there is a nat rule for that. And that works

nat (outside,inside) source static MON MON destination static IP-172.33.45.7 LN-10.20.50.47

Apart from a management nat rule, this is the only NAT rule in place and working fine for monitoring

Now My Question is (assuming acls are in place)

Do I need a nat rule for inside host to reach internal and external destinations. If yes what should be the nat statements ?

Please advise, thanks

Labels:
0 Helpful
3 Replies 3

manuscript1
Level 1
Level 1

‎03-07-2017 04:59 AM

Hi

if i am reading this right your problem is going from the inside interface to the outside interface of your asa.? To do this  you will need the rules and a nat statement .

there are two ways to do it ... a nat overload to your outside interface ( thsi means anything going through will be nat/pat to outside interface ip )  or a static nat from your inside host to your outside subnet(s)

the overload option is - NB this will translate everything from inside to outside uinterface IP !!

nat (Inside,Outside) source dynamic any interface

static try something to this  effect :

nat (Inside,outside) ) source static any any destination static 10.20.50.45 10.30.50.x  ( the x being a free address on your outside subnet )  unidirectional  ( use bidirectional for both way translation )

another way is to do by object -groups

object network internal-10.20.50.0

    subnet 10.20.50.0 255.255.255.0   ( assuming class C )

object network internal 10.20.50.0


nat (inside,outside) dynamic interface

This  will nat just this subnet to outside interface of your asa

best and easiest is the ADSM tool as you can just enter the  nat translations on a GUI !!!!

0 Helpful

Bali Khan
Level 1
Level 1
In response to manuscript1

‎03-07-2017 05:09 AM

Thanks for your reply. because ASA is internal firewall, when traffic going from inside -> outside, we want to keep the source real IPs as it is.

Its the checkpoint firewall which will translate the real IPs into public address.

So keeping above in mind do we need a nat and just routing / ACLs are enough ?

0 Helpful

manuscript1
Level 1
Level 1
In response to Bali Khan

‎03-07-2017 05:27 AM

i think you will need something like this :

Cisco ASA 8.3 - No NAT / NAT Exemption 

object network LOCAL_LAN
subnet 192.168.0.0 255.255.0.0

object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0


nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

To make things clearer you can see the structure of the NAT statement below.

nat (real interface,mapped interface) source static [real_object] [mapped_object] destination static [real_object] [mapped_object]
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card