Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6380
Views
0
Helpful
8
Replies

NATing on CISCO ASA outgoing interface

yugandharm
Level 1
Level 1

‎12-09-2009 12:21 AM - edited ‎02-21-2020 03:49 AM

Hi,

we are using Cisco ASA with LAN and DMZ ones. generally internet will get with Outside interface IP address which we can get the IP details. here i want to get NATed IP instead of outside interface IP.is it possible to do that?

For example, Outside interface IP is having 1.1.1.1 IP and 1.1.1.2 is free Public ip. for internal and external users they shold get 1.1.1.2 IP only. this is my requirement

Regards,

Yugandhar. M

0 Helpful
8 Replies 8

jan.nielsen
Level 7
Level 7

‎12-09-2009 06:08 AM

Sure, if you want internal users to hide behind another address than the ASA's interface address, just do this :

global (outside) 1 1.1.1.2

nat (inside) 1

defining one address in the global statement will cause the ASA to do PAT translation with that address for the addresses defined in NAT (inside) 1, the number 1 in both global and nat statements is what binds them together.

0 Helpful

yugandharm
Level 1
Level 1
In response to jan.nielsen

‎12-09-2009 09:03 AM

Hi Jan,

Thanks for your solution.

at the time of installation i have written NAT policy like

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 1.1.1.1-1.1.1.4

is it ok or i need to add golbal policy once again as per suggession i.e

global (outside) 1 1.1.1.2

nat (inside) 1

Regards,

Yugandhar. M

0 Helpful

jan.nielsen
Level 7
Level 7
In response to yugandharm

‎12-09-2009 10:33 AM

Actually, if i remember correctly if you use a range, the ASA will do dynamic NAT 1-1 which means only the first 4 ppl to send traffic through will work, so you should just do the 1.1.1.2 global, you don't need more than one address for regular internet traffic nat'ing. You need to remove the "global (outside) 1 1.1.1.1-1.1.1.4" first and then put in, a line with only one address in it like "global (outside) 1 1.1.1.2"

0 Helpful

yugandharm
Level 1
Level 1
In response to jan.nielsen

‎12-09-2009 09:15 PM

Hi Jan,

thanks alot for your solution.

Jan, i have one mor query that we are assigned 1.1.1.1 to outside interface and NATed with 1.1.1.2. at the same time can i use 1.1.1.3 for Mobile vpn users, to access the internal resources??

Regards,

Yugandhar. M

0 Helpful

jan.nielsen
Level 7
Level 7
In response to yugandharm

‎12-10-2009 08:55 AM

Sure you can, it's just another type of nat, known as a static nat. If you wan't external mobile users to be able to reach something inside using 1.1.1.3, do this :

lets say you wanted http/web traffic nat'ed towards an internal server :

static (inside,outside) tcp 1.1.1.3 80 80 netmask 255.255.255.255

and then allow the traffic in your outside access list to the 1.1.1.3 address.

If you want all ports nat'ed you would do :

static (inside,outside) 1.1.1.3 netmask 255.255.255.255

and then you only need to open the access in your outside access list.

0 Helpful

yugandharm
Level 1
Level 1
In response to jan.nielsen

‎12-10-2009 08:33 PM

Hi jan

littlebit confusion. i didnot get you. Let me explain my required setup

for example i have 1.1.1.1, 1.1.1.2, 1.1.1.3 Public IPs.

as per my last query i assigned 1.1.1.1 to Outside interface and outside and inside users can see the IP 1.1.1.2. For this you given solution.

second one is, we arehaving Client to site Mobile vpn users they should connect to firewall or my internal by using 1.1.1.3 IP address only. i.e in VPN client setttings VPN server IP shold be 1.1.1.3.

This is my requirement JAN. please help me.

Regards,

Yugandhar. M

0 Helpful

Kent Heide
Level 1
Level 1
In response to yugandharm

‎12-14-2009 12:15 AM

As far as I can read from your posts what you want is to use a different IP than the one on your outside interface for terminating Remote Access VPNs. Afaik and what's supported up until 8.2(1) this is not possible. You will need to have this IP on an interface to be able to enable it for isakmp.

If you have any available interfaces then create one and call it "nameif VPN" and give it the 1.1.1.3 address. (You will need a switch with a dedicated VLAN in between your CE router / modem for this to be doable).

If someone has a better solution I am curious about it as well :-)

0 Helpful

vaba
Level 1
Level 1
In response to Kent Heide

‎02-24-2010 12:27 PM

I have the same problem. My Outside IP address on physical interface is 1.1.1.2.

I need my VPN site-to-site to be terminated on IP 1.1.1.3 and I didn’t find a solution either.

Is it possible to use “policy NAT” and how? Is this a kind of solution of this problem without using switch and vlan interface?

Do you know where can I see or read if we need ip address on physical interface for ISAKMP?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card