Help with "global" and "NAT"

Answered Question
Jun 30th, 2007

Hi. this is going to be a stupid question, and I do apologize, but I guess this is the place to learn :)

Im OK in setting up an ASA 99% but i *ALWAYS* get stuck on the global and nat statements. I have looked around for good explanations on it but Im not coming up with much. Cisco's site was so slow yesterday I eventually gave up.

I went to borders and bought the new ASA book ($75) and it doesnt even cover it!

Thanks in advance to any pointers, I appreciate it.

Bob

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 6 months ago

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 06/30/2007 - 19:42

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

mx Tue, 07/03/2007 - 06:51

Thank you both VERY much. Extremely helpful! It seems its less voodoo than I thought, mostly because it was never explained to me very well. I really appreciate it.. Im keeping those docs and your explanation on a text file on my desktop until I know it cold.

Thank you again.

Bob

Actions

This Discussion