06-30-2007 07:11 PM - edited 03-11-2019 03:37 AM
Hi. this is going to be a stupid question, and I do apologize, but I guess this is the place to learn :)
Im OK in setting up an ASA 99% but i *ALWAYS* get stuck on the global and nat statements. I have looked around for good explanations on it but Im not coming up with much. Cisco's site was so slow yesterday I eventually gave up.
I went to borders and bought the new ASA book ($75) and it doesnt even cover it!
Thanks in advance to any pointers, I appreciate it.
Bob
Solved! Go to Solution.
06-30-2007 07:42 PM
Hi Bob
No need to apologize, this is what NetPro is for.
A few examples might help
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.
The global statement says to nat all addresses to the outside interface address of the ASA.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 2 interface
Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.
nat (inside) 2 192.168.5.0 255.255.255.0
global (outside) 2 62.7.19.4
A few things have changed in the above example.
1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.
2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.
3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.
This is a very brief overview of nat/global. Please come back with any more questions.
HTH
Jon
06-30-2007 07:42 PM
Hi Bob
No need to apologize, this is what NetPro is for.
A few examples might help
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.
The global statement says to nat all addresses to the outside interface address of the ASA.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 2 interface
Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.
nat (inside) 2 192.168.5.0 255.255.255.0
global (outside) 2 62.7.19.4
A few things have changed in the above example.
1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.
2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.
3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.
This is a very brief overview of nat/global. Please come back with any more questions.
HTH
Jon
07-02-2007 05:15 PM
Hello.
Check out the command references.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html
There is really good (IMHO anyway) explanations of how and when to use the static statments along with the NAT and Globals.
Tim
07-03-2007 06:51 AM
Thank you both VERY much. Extremely helpful! It seems its less voodoo than I thought, mostly because it was never explained to me very well. I really appreciate it.. Im keeping those docs and your explanation on a text file on my desktop until I know it cold.
Thank you again.
Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide