09-26-2014 11:02 AM - edited 03-04-2019 11:50 PM
I have a asa5525 and a cisco 887 router
i want to lab out a scenario where i can test the nat translations specially for ftp and www.
so i have a real external IP address where I telnet to port 80 for one webserver and port 21 to a differnet one
in the hope that the 887 will translate that to an ip in the 3750 which is then connected to the 5525 with another lan behind.
lets say my real external ip is 9.9.9.9 /30 the cisco887 is configured to translate that inside.
ip nat inside source static tcp 8.8.8.1 23 interface Dialer1 21
ip nat inside source static tcp 8.8.8.2 80 interface Dialer1 80
then i have another vlan SVI network inside my 3750 layer 3 switch running eigrp of 8.8.8.0/29 which is my pretend address( i have actually used the ISP real address internally for testing purposed but it is not advertised outside)
so that means the outside interface of the 5525 is 8.8.8.1
internal interface is 10.1.1.1 /24
client is at 10.1.1.10 and 10.1.1.20
so i want to be able to telnet from the REAL internet on port 21 and hit 10.1.1.10 port 21 and hit 10.1.1.20 on port 80
So the translation to the actual interface of the outside of the 5525 works, but when i use another address in the 8.8.8.0/29 network it doesn't.
I have objects created in the ASA for the 8.8.8.1 and 8.8.8.2
Any ideas what sort of config i need on the 5525 to get this to accept a translation from something other than the outside interface.
i have firewall rules of any / any
This is version 9.1
09-26-2014 02:20 PM
How about if you assign a prefix-length to the public ip range
something like this:
ip nat pool test 8.8.8.0 8.8.8.8.6 prefix-length 3
ip nat inside source list 10 pool test
access-list 10 permit host 10.1.1.10 or 20
HTH
09-28-2014 09:25 AM
OK so it good to not skip parts of a FW build
I was having difficulty with HA replication and lost interest in getting that working so i moved onto the firewall rule part which was bailing out on me.
So i went back to the config and I couldnt work out why when i wrote the rule either in CLI or in the ASDM it didnt actually appear in the config.
It would appear that my lack of replication between the two firewalls was the issue .I was writing the config on the firewall that wasnt participating in dealing with the packets.
Once I have fixed the active active replication the issue went away and i could create rules and test well.
So the moral of the story is not to skip parts of a FW build out...
thanks for your suggestions..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide