Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
3
Replies

NAT not translating public address

Acidflame
Level 1
Level 1

‎09-14-2013 09:52 AM - edited ‎03-11-2019 07:38 PM

Hi to all,

hi have another problem with ASA 5512. I have configured static NAT, and i have configured network Centos 6 server all work fine. I have installed Cpanel (that not support NAT 1:1 in STABLE version but only in EDGE version).

The problem is that if set internal address on server INTERNAL TO EXTERNAL all working fine. But if i give a dedicated IP to the site EXTERNAL TO INTERNAL not work.

If i ping the site give me only internal address and not external.

One of solutions si to insert PRIVATE IP AND PUBLIC IP in address list, but there isn't a way to insert only external IP and have automatic translation in Internal IP

If i have this configuration

DEVICE=eth0

BOOTPROTO=nat

DHCPCLASS=

IPADDR=192.168.2.102

NETMASK=255.255.255.0

ONBOOT=yes

All work fine but i want that this configuration work fine

DEVICE=eth0

BOOTPROTO=static

DHCPCLASS=

IPADDR=PUBLIC IP

NETMASK=255.255.255.0

ONBOOT=yes

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎09-14-2013 10:03 AM

Hi,

As I said in the previous discussion,

You will either need to use Static NAT which to my understanding you are using in the first configuration of the actual server.

Or you will need to configure the public subnet directly on some ASA interface, most likely some DMZ interface since you are hosting a server to external network.

Last time you mentioned that you doubt that the ISP would be willing to do any changes to their setup which sounds pretty wierd to me. If you have been provided with 2x /27 subnets already from the ISP there should be no problem either using the the other subnet /27 on the DMZ interface of the ASA or split one of the /27 subnets to something even smaller and configuring one of those smaller subnets in the ASA DMZ interface.

Lets take this for example

  • Public Subnet 1 = 1.1.1.0/27
  • Public Subnet 2 = 2.2.2.0/27

You could for example have the following interface configurations on the ASA

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.224

interface GigabitEthernet0/1

nameif dmz

security-level 50

ip add 2.2.2.1 255.255.255.224

Now you could for example configure a server on the DMZ with the IP address 2.2.2.2

But naturally as we cant see your exact setup and firewall configurations its impossible to say what you would need to do to get your second server configuration option to work.

But to me it seems certain that to be able to configure the public IP address directly on the server you will have to configure some public subnet directly where ever your server is connected. If its connected to some ASA DMZ interface then the ASA interface must be configured with the public subnet. If the server is connected to some core device then the public subnet has to be configured there.

- Jouni

0 Helpful

Acidflame
Level 1
Level 1
In response to Jouni Forss

‎09-14-2013 10:15 AM

If you want there is my firewall configuration.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Acidflame

‎09-15-2013 04:21 AM

Hi,

Seems to me according to your ASA configuration that only the "External2" interface has public IP address space that is not used while the "External" interfaces public IP address space has been used up from both start and end of the subnet.

It also seems that you have no routers on the internal networks since there is no routing configurations or static routes  on your ASA. This would essentially mean that if you wanted to have a public IP address directly on the server then that public subnet would have to be configured on the ASA (as there are no internal routers)

It seems to me that for this server you would perhaps need to split the second public subnet to either a /28 or /29 subnets depending on how much of this public address space of "External2" subnet you want to allocate to the new DMZ interface

Lets say that the External2 network is 2.2.2.32/27 (2.2.2.32 - 2.2.2.63)

It seems that you have not used any public IP addresses that would be part of 2.2.2.48/28 (2.2.2.48  - 2.2.2.63)

So if you wanted to for example split the "External2" in the above mentioned way you could do the following changes with the ISP (ofcourse using the actual public IP addresses)

interface GigabitEthernet0/4

ip address 2.2.2.36 255.255.255.240

interface GigabitEthernet0/5

description Public DMZ

nameif DMZ-PUB

security-level 60

ip address 2.2.2.49 255.255.255.255.240

The ISP would also have to change the network mask on their gateway and add a static route for the splitted network/subnet

For example

Before

interface GigabitEthernet1/1

description Customer

ip address 2.2.2.33 255.255.255.224

After

interface GigabitEthernet1/1

description Customer

ip address 2.2.2.33 255.255.255.240

ip route 2.2.2.48 255.255.255.240 2.2.2.36

After this you would be able to use an IP address from the 2.2.2.48/28 (2.2.2.50 - 2.2.2.62 since you cant use the network,gw or broadcast address)

And as I said before, you would even have the option to split the "External2" network further but in that case would have to consider is there a need for that.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card