Well, I have a client which has a link with three valid ip. Today is a Linux, where are the ips. I need to replace that Linux by ASA, where they must also be 3 ips so I can make the NAT to the internal network.
Ex: You have a router in the carrier with the ip 10.1.1.1, and Linux are the ips 10.1.1.2, 10.1.1.3 and 10.1.1.4, assuming that these are valid ips.
So I put in an interface ip 10.1.1.2, 10.1.1.3 when I put the error and accepts no overlaps.
What better solution would be the case?

Thanks.

Hello,

You can do Nat with the 3 IPs, the only thing that you cannot do is to assign them to a single interface for example you can assign 192.168.1.1 to an outside interface of the firewall that connects to the ISP, your internal network is, lets say, 10.10.10.0, 10.10.20.0 and 10.10.30.0. If you do the following

nat (inside) 1 10.10.10.0 netmask 255.255.255.0

nat (inside) 2 10.10.20.0 netmask 255.255.255.0

nat (inside) 3 10.10.30.0 netmask 255.255.255.0

global (outside) 1 Interface (Which would be 192.168.1.1)

global (outside) 2 192.168.1.2

global (outside) 3 192.168.1.3

That way, 10.10.10.0 network would be seen as 192.168.1.1 on the outside, 10.10.20.0 would be natted to 192.168.1.2 and so on.

If you have any questions, let me know.

Mike

OK. I've done some testing and the NAT did not work. Follow the setup, see if part of NAT is correct.

Thanks.

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 18x.xx.56.234 oi234

name 18x.xx.56.235 oi235

name 18x.xx.56.236 oi236

name 20x.xx.159.234 embratel234

name 20x.xx.159.236 embratel236

name 192.168.1.254 adsl

name 172.16.0.140 local

name 20x.xx.159.235 embratel235

!

interface Vlan1

nameif inside

security-level 0

ip address local 255.255.252.0

!

interface Vlan2

nameif outside

<--- More --->

security-level 0

ip address oi234 255.255.255.248

!

interface Vlan13

shutdown

nameif inativo

security-level 0

ip address 1.1.1.1 255.0.0.0

!

interface Vlan23

nameif embratel

security-level 0

ip address embratel234 255.255.255.248

!

interface Vlan33

nameif adsl

security-level 0

ip address adsl 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 23

<--- More --->

!

interface Ethernet0/2

switchport access vlan 33

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 13

!

interface Ethernet0/5

switchport access vlan 13

!

interface Ethernet0/6

switchport access vlan 13

!

interface Ethernet0/7

switchport access vlan 13

!

ftp mode passive

clock timezone BRST -3

clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

<--- More --->

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_UDP_1 udp

port-object range 8000 20000

port-object eq sip

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq ftp-data

access-list CRV_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0

access-list inside_access_in remark DNS

access-list inside_access_in extended permit object-group TCPUDP 172.16.0.0 255.255.252.0 any eq domain

access-list inside_access_in remark SMTP

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq smtp

access-list inside_access_in remark FTP

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any object-group DM_INLINE_TCP_1

<--- More --->

access-list inside_access_in remark HTTP e HTTPS

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any object-group DM_INLINE_TCP_2

access-list inside_access_in remark NTP

access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any eq ntp

access-list inside_access_in remark ICMP

access-list inside_access_in extended permit icmp 172.16.0.0 255.255.252.0 any

access-list inside_access_in remark VNC

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 5900

access-list inside_access_in remark PPTP

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq pptp

access-list inside_access_in remark SSH

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq ssh

access-list inside_access_in remark IMAP

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq imap4

access-list inside_access_in remark SNMP

access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any eq snmp

access-list inside_access_in remark OpenVPN

access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any eq 1194

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 8080

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 8800

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 2222

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 10000

access-list inside_access_in remark SIP

access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any eq sip

<--- More --->

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 1036

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.252.0 any eq 2100

access-list inside_access_in remark GRE

access-list inside_access_in extended permit gre 172.16.0.0 255.255.252.0 any

access-list inside_access_in extended permit udp 172.16.0.0 255.255.252.0 any range 8000 20000

access-list embratel_access_in extended permit tcp host 200.195.162.210 host embratel236

access-list embratel_access_in extended permit udp host 82.224.170.101 host embratel234 object-group DM_INLINE_UDP_1

access-list outside_access_in remark FTP

access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_3

access-list outside_access_in extended permit object-group TCPUDP any any eq www

access-list outside_access_in remark VNC

access-list outside_access_in extended permit tcp any any eq 5900

access-list outside_access_in remark PPTP

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in remark GRE

access-list outside_access_in extended permit gre any any

access-list outside_access_in remark OpenVPN

access-list outside_access_in extended permit tcp any any eq 1194

access-list outside_access_in extended permit tcp any any eq 2222

access-list outside_nat0_outbound extended permit ip 18x.xx.56.232 255.255.255.248 any

access-list adsl_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any

access-list embratel_nat0_outbound extended permit ip 20x.xx.159.232 255.255.255.248 any

pager lines 24

logging enable

<--- More --->

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu inativo 1500

mtu embratel 1500

mtu adsl 1500

ip local pool CRV 172.16.0.120-172.16.0.130 mask 255.255.252.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (adsl) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 172.16.0.0 255.255.252.0

nat (outside) 0 access-list outside_nat0_outbound

nat (embratel) 0 access-list embratel_nat0_outbound

nat (adsl) 0 access-list adsl_nat0_outbound

static (inside,outside) tcp oi236 ftp 172.16.0.8 ftp netmask 255.255.255.255

static (inside,outside) tcp oi236 www 172.16.0.19 www netmask 255.255.255.255

static (inside,outside) tcp oi235 5900 172.16.0.254 5900 netmask 255.255.255.255

static (inside,outside) tcp oi235 pptp 172.16.0.254 pptp netmask 255.255.255.255

static (inside,outside) tcp oi235 47 172.16.0.254 47 netmask 255.255.255.255

<--- More --->

static (inside,outside) tcp oi236 1194 172.16.0.254 1194 netmask 255.255.255.255

static (inside,outside) tcp interface www 172.16.0.22 www netmask 255.255.255.255

static (inside,outside) tcp oi235 www 172.16.0.4 www netmask 255.255.255.255

static (inside,outside) tcp interface sip 172.16.0.102 sip netmask 255.255.255.255

static (inside,outside) tcp interface ftp 172.16.0.20 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 172.16.0.20 ftp-data netmask 255.255.255.255

static (inside,outside) tcp oi236 2222 172.16.0.29 2222 netmask 255.255.255.255

static (inside,embratel) udp interface 8000 172.16.0.102 8000 netmask 255.255.255.255

static (inside,embratel) udp interface sip 172.16.0.102 sip netmask 255.255.255.255

static (inside,embratel) tcp embratel235 https 172.16.0.4 https netmask 255.255.255.255

static (inside,embratel) tcp interface ftp-data 172.16.0.22 ftp-data netmask 255.255.255.255

static (inside,embratel) tcp interface ftp 172.16.0.22 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group embratel_access_in in interface embratel

route outside 0.0.0.0 0.0.0.0 oi236 254

route adsl 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 172.16.0.0 255.255.252.0 inside

<--- More --->

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 172.16.0.0 255.255.252.0 inside

telnet timeout 5

ssh 172.16.0.0 255.255.252.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

<--- More --->

group-policy CRV internal

group-policy CRV attributes

dns-server value 172.16.0.253 172.16.0.80

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CRV_splitTunnelAcl

username master password Z4lv47kJo.V6M7HB encrypted

tunnel-group CRV type ipsec-ra

tunnel-group CRV general-attributes

default-group-policy CRV

dhcp-server 172.16.0.253

tunnel-group CRV ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

<--- More --->

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:02166630454b3ad4f2dfe258a013df53

: end

ciscoasa#

Eduardo,

I see a lot of Nat statements, what is the one that we need to focus in?

Mike