cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
2
Replies

ASA 5510 inside source NATing

netadmin10
Level 1
Level 1

Hi Everyone.

I have a project which requires a router from inside our ASA5510 firewall to initiate a VPN connection over the internet to a server. We have this at two DC's one which connects to a cisco 1941 router and then to the internet - our other DC has an ASA5510 that boarders the internet.

The Cisco 1941 connection works fine but I am unsure of the commands needed to get inside source NATing working on the ASA5510 (software version 8.2 (5)) at our second DC, can you please help?

Cisco 1941 config details working;


interface Vlan40
description BUSINESSINTERNET
ip address 101.101.101.100 255.255.255.248 ( = Public IP)
ip flow ingress
ip nat outside


interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip nat inside


ip nat inside source static 1.1.1.2 101.101.101.101 ( = Public IP)

(1.1.1.2 = router initiating the VPN connection) 

Cisco ASA5510 config details so far;

interface Ethernet0/3

nameif Internet

ip address 110.110.110.109 255.255.255.248

interface Ethernet0/2.8
vlan 8
nameif TNSoutside
ip address 2.2.2.1 255.255.255.252


static (TNSoutside,Internet) 110.110.110.110 2.2.2.2 netmask 255.255.255.255

( 110.110.110.110 = Public IP) (2.2.2.2 = router initiating the VPN connection) 

I have been thinking I need something like this;

access-list TNSOutside_nat0_outbound extended permit ip 2.2.2.2 255.255.255.255 110.110.110.110 255.255.255.255

nat (TNSOutside) 1 access-list TNSOutside_nat0_outbound

2 Replies 2

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hello ,

Adding to Masoud comments, do have a look on the ASA Natting configuration example for more infromation and help.

Hope it Helps..

-GI

Hello,

This command is correct for static NAT. Static NAT is bi-directional so it works both ways.

static (TNSoutside,Internet) 110.110.110.110 2.2.2.2 netmask 255.255.255.255

The second command is used for policy NAT. It is usually used when you have two gateways and you want to share the load across two links. First, your config is not complete. Second, it may not work because it does not put entry into NAT table unless the session initiates from inside.

This an example for Policy NAT.

 access-list P1 permit ip host 10.10.10.40 host 1.1.1.1
 access-list P2 permit ip host 10.10.10.40 host 2.2.2.2
    
  nat (inside) 10 access-list P2
  global (outside) 10 100.100.100.1  (first gateway)
  nat (inside) 20 access-list P2
  global (outside) 20 200.200.200.1     (second gateway)

Hope it helps,

Masoud

Review Cisco Networking for a $25 gift card