Solved: What kind of nat you want to

Paul Morris · ‎07-08-2015

Hi

I am not sure if this is the correct forum but I need to configure a ASA 5506X to do NAT routing. I think I have successfully configured the internal and external interfaces but so far it is still not working.

Any assistance would be appreciated.

saif musa · ‎07-13-2015

Paul,

You didn't provide dns address. I already used public one and you can change it anyway.

* for your outside interface use..

!
interface gigabitethernet1/1
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
!

*for your inside interface use...

!
interface gigabitethernet1/2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
no shutdown
!

*to enable DHCP service on your internal network use...

!
dhcpd dns 4.2.2.2 4.2.2.3
dhcpd lease 3000
dhcpd ping_timeout 30
!
!
dhcpd address 10.0.0.100-10.0.0.250 inside
dhcpd enable inside
!

* to enable Nat process outside to/from inside use...

!
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
access-group 101 in interface outside
!

* to enable telnet on inside interface use...

!
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
!

* to save the configurations use ( write ) command.

Also, dont forget to enable password for the device

Regards

Please rate helpful posts

View solution in original post

rizwanr74 · ‎07-08-2015

What kind of nat you want to do?

Explain nature of your nat you needed?

Paul Morris · ‎07-08-2015

Based upon a previous recommended configuration I need to use the ASA to connect the internal network with the external (WAN) which are on two different IP addresses

rizwanr74 · ‎07-08-2015

You would need a static nat.

ASA 8.2 and below.

access-list outside-in permit tcp any host 23.23.23.23 443
access-group outside-in in interface outside

static (inside,outside) 23.23.23.23 10.50.50.50 netmask 255.255.255.255

------------------------------------------------------------------

For version 8.3 and above.

object network my-internal-srv
host 10.50.50.50
nat (inside,outside) static 23.23.23.23

access-list outside-in extended permit tcp object-group my-internal-srv any eq 443
access-group outside-in in interface outside

You may change IP address, according to your enviorment.

thanks

Paul Morris · ‎07-08-2015

Hi

I am new to Cisco CLI. Is this via the CLI or ASDM. I do not have the ASDM.

If via the CLI do I use the Interface 1/1 for outside?

rizwanr74 · ‎07-08-2015

It is CLI configuration. You have to change port number, private ip address and public ip address according to your enviorment.

Use interface's names what you have defined on the interfaces.

Paul Morris · ‎07-08-2015

Can you give me the complete list of commands to ensure I get it right?

rizwanr74 · ‎07-08-2015

What provided is the complete list of commands you needed to complete static-nat.

Configuration commands varies based software version of ASA, as mentioned above.

Paul Morris · ‎07-08-2015

Will try those shortly and let you know.

Thank you very much.

Paul Morris · ‎07-08-2015

Is 10.50.50.50 the IP address for your firewall or internal gateway?

rizwanr74 · ‎07-08-2015

"Is 10.50.50.50 the IP address for your firewall or internal gateway?"

This is just an example to setup static-nat for an internal address, so that someone coming via the Internet will be able to access your Internal service running on port 443 on server address 10.50.50.50.

Are you trying to access the Internet from inside of your network?

Paul Morris · ‎07-08-2015

The primary aim is to access the internet from the internal network.

The external is set to 192.168.x.x and the internal is 10.x.x.x

rizwanr74 · ‎07-08-2015

You cannot access the Internet with private address ranges.

You need to dynamic-nat your private addresses to public address on outside interface of your ASA, which is facing the Internet circuit.

What version of your ASA's software?

Below table shows, private address range.

RFC1918 name	IP address range	number of addresses	largest CIDR block (subnet mask)	host id size	mask bits	classful description^{[Note 1]}
24-bit block	10.0.0.0 - 10.255.255.255	16,777,216	10.0.0.0/8 (255.0.0.0)	24 bits	8 bits	single class A network
20-bit block	172.16.0.0 - 172.31.255.255	1,048,576	172.16.0.0/12 (255.240.0.0)	20 bits	12 bits	16 contiguous class B networks
16-bit block	192.168.0.0 - 92.168.255.255	65,536	192.168.0.0/16 (255.255.0.0)	16 bits	16 bits	256 contiguous class C networks

Paul Morris · ‎07-09-2015

I am not sure of the version of the software.

The reason the External ip is a 192 is that the ISP has a DIA and are using a device which does its own routing. We can't and don't access that device but it gives a 192.168.0.x scheme.

rizwanr74 · ‎07-09-2015

On console access, issue this command "show version"

COnfiguring an ASA5506X for NAT