cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
276
Views
0
Helpful
1
Replies
Andres Moncada
Beginner

NAT on ASA 5508 for ISP

Hello,

 

I have an ISP wich give me the following information for configure my connection:

 

WAN 10.16.X.222 /30 with the VLAN 186

LAN pool (public IP) 200.81.X.153-158 /29

 

So i have one ASA 5508 wich recive the ISP WAN connection and one ISR 4321 who manage my private LAN

 

Now, my question is how can i configure NAT in my ASA to give access to the internet from my private LAN?

 

Righ now, i have this...

 

### ASA 5508 ###
!
interface GigabitEthernet1/1
description WAN
nameif gateway
security-level 0
no ip address
!
interface GigabitEthernet1/1.186
description WAN_ISP
vlan 186
nameif outside
security-level 0
ip address 10.16.X.222 255.255.255.252
!
interface GigabitEthernet1/2
description TO_ISR4321
nameif inside
security-level 100
ip address 200.81.X.153 255.255.255248
!

!
route outside 0.0.0.0 0.0.0.0 10.16.X.221
route inside 192.168.10.0 255.255.255.252 200.81.X.154
route inside 192.168.20.0 255.255.255.252 200.81.X.154
!
### ISR 4321 ###
!
interface GigabitEthernet0/0/0
 description TO_ASA5508
 ip address 200.81.X.154 255.255.255.248
 negotiation auto
!
interface GigabitEthernet0/0/1
 description LAN
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/1.10
 description SERVERS
 encapsulation dot1Q 10
 192.168.10.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1.20
 description USERS
 encapsulation dot1Q 20
 192.168.20.1 255.255.255.0
 negotiation auto
!

!
ip route 0.0.0.0 0.0.0.0 200.81.X.153
!
1 REPLY 1
paul driver
VIP Expert

Hello

@Andres Moncada wrote:

Hello,

Now, my question is how can i configure NAT in my ASA to give access to the internet from my private LAN?

Try the following:

conf t
object network Servers
subnet 192.168.10 0 255.255.255.0
object network Users
subnet 192.168.20 0 255.255.255.0

object-group network LAN_NAT
network-object object Servers
network-object object Users

nat(inside,outside) after-auto source dyanmic LAN_NAT interface

acccess-list 100 extended permit icmp any object-group LAN_NAT echo-reply
access-group 100 in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul