cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1930
Views
0
Helpful
8
Replies

Second public IP NAT translate on ASA 5512-x

Good morning,

I will show you my config first for quick understanding

Cisco ASA: 192.168.1.1

Inside network: 192.168.2.*

Cisco ASA 5512-X with WAN IP configured on the WAN Port. We have 5 public IP addresses from our ISP

(let's say for example 10.10.10.41 - 10.10.10.46)

.

We have a Netgear Router behind our ASA because of Wifi Guest access. We assigned one of our public IP addresses (10.10.10.42) to that Netgear router (connected on the WAN port of the Netgear) and configured a NAT object in our ASA for this router. With a NAT rule to this NAT object we create the portforwarding for the different ports as needed (videoconferencing, Lync etc.). In the Netgear we also open the same ports and assign them to the right local IP addresses.

At this point everything is working great. Even with 2 "firewalls" behind each other with port forwarding (I know it's not the ideal situation).

I configured a Lync Edge server and a Reverse Proxy (2 NIC's) and I want to assign one of my Public IP addresses to that Reverse Proxy. We created public DNS A records (meet, lyncweb, lyncdiscover and dialin) who points to 10.10.10.43. It should be looking like this:

External User 10.10.10.43 --> RP Ext. NIC --> RP Int. NIC --> Lync server

As you can read and see I want to configure the 10.10.10.43 public IP address on my ASA to it can be (NAT) translated to the local IP address of the Reverse Proxy (RP) external NIC. This is a 192.168.2.* address.

How do I configure this on my ASA? Is it a problem the ASA is not in the same network as my local range?

8 Replies 8

What ASA version are you running?

Is it a problem the ASA is not in the same network as my local range?

I am not exactly sure what you mean by this.  Do you mean that your ASA inside interface is in a different subnet range than that of the directly connect local network?  If so then this is a problem as the ASA will not know where to route traffic to the local network.

If your ASA and Netgear router are connected together and they have an interface on the same subnet, and then there is a local network behind the Netgear that has a different subnet than the ASA, then this should not cause any issues.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thank you for your answer.

My ASA inside interface is 192.168.1.1

My LAN is 192.168.2.*

I configure my ASA directly on the Management port.

Situation:

WAN IP -- Cisco ASA WAN -- CISCO ASA Port 1 (192.168.1.1) -- Netgear Router 10.10.10.42 -- LAN IP's (192.168.2.*)

My Netgear doesn't have a local IP but the Public IP address directly assigned. The cable from Port 1 is directly connected to the WAN interface of the Netgear. In the ASA I have NAT rules with portforwarding to the NAT Object 10.10.10.42 (Netgear). The Netgear has portforwarding configured with the same portnumbers to the local IP's that needs it (192.168.2.*). For an example: We have a videoconferencing unit from Polycom with local IP 192.168.2.7. I have NAT rules with the right portnumbers to NAT object 10.10.10.42 (Netgear). On the Netgear the same portnumbers are assigned to the Polycom system. This works like a charm.

For configuration I use Cisco ASDM Launcher v1.5

So you have connected port 1 on the ASA directly to the NetGear router interface which has IP 10.10.10.42 assigned to it?  If this is the case, this will not work as the ASA (and the NetGear for that matter) will not know how to reach eachother.

Could you post a network diagram of how everything is connected and include IP addresses please.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I want to use 10.10.10.43 to be translated by the ASA to 192.168.2.251.

The ASA is not in the 192.168.2.* range. Do I need to change my inside IP of the ASA?

Hello Gilbert,

As long as the ASA knows how to reach the 192.168.2.x subnet you will be fine.

So based on your description and the diagram the ASA connects to the netgear on the inside interface, behind the netgear we have the 192.168.2.x subnet.

I guess the Netgear is not doing any NAT so the ASA do receive the traffic from the 192.168.2.x subnet.

So configuration

object network Inside_Server_RProxy

host 192.168.2.251

object network Outside_Public_RProxy

host 10.10.10.43

nat (inside,outside) 1 source static Inside_Server_RProxy Outside_Public_RProxy

route inside 192.168.2.0 255.255.255.0 Netgear_IP_of_192.168.1.x

Remember to configure the ACL to allow the traffic to the R_Proxy.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for your answer. I'm gonna try this.

Remember that my ASA has IP address 192.168.1.1 and the rest of my inside network 192.168.2.*

How can I make the "translation" from 192.168.1.* to 192.168.2.*? Do I need to change the inside IP address of the ASA or is there a setting I can use?

Hello Gilbert,

Perfect,

Just use my example as a tool,

Let me know how it goes

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello jcarvaja

Can you tell me how to do this? I'm not sure because I don't have much Cisco knowledge.

Maybe you can provide me a step by step guide to help me through?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: