Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3995
Views
5
Helpful
8
Replies

Static NAT to IP that is not local to ASA?

Go to solution
Brandon Svec
Level 7
Level 7

‎05-23-2012 02:26 PM - edited ‎03-11-2019 04:10 PM

All, I have a doubt about a configuration I am requesting.  I know just a little about ASA myself, but am working with a contractor on this project and he is not sure this can be done or not.

My applciation is this:

- ASA with internet and some public IP. 

- Exisiting internal LAN of 10.10.10.0/24. 

- New voice VLAN 10.10.100.0 on L3 SGE switch doing inter-vlan route between 10.10.100.0/24 and 10.10.10.0/24 via 10.10.10.1 (ASA internal interface)

- ASA will have static route to 10.10.100.0/24 via 10.10.10.254 (data VLAN interface on my L3 switch)  This much is a known working configuration for me to allow voice and data vlans to route and require very little of firewall contractor.

Now I need static NAT of a public IP to my IP PBX on 10.10.100.1.  The doubt I have is if they try to configure this the ASA will not want to make a NAT to 10.10.100.1 because that network does not exist anywhere in the ASA config.

Is there a way to make this work or will it be required/better to use an extra interface no the ASA and make it 10.10.100.0/24 and have the ASA do inter-vlan routing instead of the switch?

Thanks in advance,

Brandon

-- please remember to rate and mark answered helpful posts --
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brandon Svec

‎05-29-2012 12:29 PM

It should be:

static (inside,outside) 222.222.222.222 10.10.100.1 netmask 255.255.255.255

The above static statement works bidirectionally.

Also if the traffic is originated from the Internet, you would need to configure access-list and apply that to your outside interface.

Eg:

access-list outside-acl permit ip any host 222.222.222.222

access-group outside-acl in interface outside

If you already have an existing access-list applied to the outside interface, just add the permit statement to the existing access-list.

Hope that helps.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-23-2012 05:50 PM

What you are trying to configure is achievable. Voice VLAN does not need to be a subnet on the ASA as long as you have a route to that subnet as you have configured on the ASA, it would be fine.

Can you please share what you have tried to configure and the error message when you are trying to configure it and it does not take it?

For inbound access from the internet, you would need static NAT configured as well as access-list on the outside interface.

0 Helpful

Go to solution
Brandon Svec
Level 7
Level 7
In response to Jennifer Halim

‎05-23-2012 08:23 PM

Thanks very much for the reply.  I agree with you, but the person working on the firewall led me to think otherwise..

The implementation will not happen untill Friday when they move their ASA to a new location where I have already installed the switch and IP PBX.  So I won't be able to try anything until then, but thank you for clearing my doubt about if static NAT can work to a subnet not on the ASA.

-- please remember to rate and mark answered helpful posts --
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Brandon Svec

‎05-23-2012 10:51 PM

Hello Brandon,

I agreewith Jeniffer, this can be done using the same inside interface.

The ASA will be involved on this as it will have a route to that particular PBX on it's inside interface.

What you need to make sure is that the layer 3 device connecting to 10.10.10 and 10.10.100 does not do any nat between them so the ASA can handle that.

Regards,

Julio

DO rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Brandon Svec
Level 7
Level 7

‎05-25-2012 12:02 PM

Help please..  I am working on this now and not yet concerned with the static NAT but can't get simple internal static route to work.  I need ASA inside 10.10.10.0/24 to route to 10.10.100.0/24 voice network conencted via 10.10.10.254 on my L3 switch.

I did this command:

route inside 10.10.100.0 255.255.255.0 10.10.10.254

and now I can ping 10.10.100.1 from ASA but not from 10.10.10.0 network because I think ACL is needed to allow route between subnets but I don't know what it should like.

Thanks,

-- please remember to rate and mark answered helpful posts --
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brandon Svec

‎05-25-2012 04:47 PM

Your 10.10.10.0 network should have default gateway as the switch 10.10.10.254 instead of the ASA. Then the switch should have default gateway pointing towards the ASA.

Reason is because ASA will drop the packet if it does not see the complete session for security reason.

If you change your host in 10.10.10.0/24 network default gateway to the switch, it will work just fine.

Let me know how it goes or if you have any further question.

Go to solution
Brandon Svec
Level 7
Level 7
In response to Jennifer Halim

‎05-26-2012 10:29 AM

Thanks for the reply.  Since I don't have access to the ASA myself I now have to wait until Tuesday to go back and test things..  I appreciate your input and will update when resolved or if I still need help.

-- please remember to rate and mark answered helpful posts --
0 Helpful

Go to solution
Brandon Svec
Level 7
Level 7
In response to Jennifer Halim

‎05-29-2012 08:24 AM

The inside static route is now working, thank you.  Back to my original question about static NAT.  I just need a public IP to pass all traffic to an internal IP that is on the 10.10.100.0/24 network not directly conencted to the ASA.  I am thinking this would be the command:

static (outside,inside) 10.10.100.1 222.222.222.222 netmask 255.255.255.255

Does that seem correct and can you provide an example of what the ACL would look like?  I want to just allow all traffic now for the purpose of remote IP phones and some admin and mobile apps using various ports.  Once it is tested working I will let the firewall vendor layer security on.

Thanks again,

Brandon

-- please remember to rate and mark answered helpful posts --
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Brandon Svec

‎05-29-2012 12:29 PM

It should be:

static (inside,outside) 222.222.222.222 10.10.100.1 netmask 255.255.255.255

The above static statement works bidirectionally.

Also if the traffic is originated from the Internet, you would need to configure access-list and apply that to your outside interface.

Eg:

access-list outside-acl permit ip any host 222.222.222.222

access-group outside-acl in interface outside

If you already have an existing access-list applied to the outside interface, just add the permit statement to the existing access-list.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card