natting on firewall

carl_townshend · ‎11-07-2007

Hi all, can anyone tell me the command for natting to the outside interface address for all my internal users internet access, i know on my router its ip nat inside source list 1 interface dialler1 overload.

what is the command on the asa for this ?

thanks

Jon Marshall · ‎11-07-2007

Carl

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Assuming you have called the inside interface "inside" and the outside interface "outside".

HTH

Jon

carl_townshend · ‎11-08-2007

what is the global command used for here ?

Jon Marshall · ‎11-08-2007

The global command is needed to tie it to the relevant NAT command ie

nat (inside) 1 0.0.0.0 0.0.0.0

says NAT all addresses ariiving on the inside interface BUT it doesn't tell you what you want to NAT it to. That is what the global command does

global (outside) 1 interface

Notice the same index number (1) has been used in the nat and global statements.

Jon

carl_townshend · ‎11-08-2007

Hi

how would i do a static nat translation on the asa also ?

carl_townshend · ‎11-08-2007

can you explain a little more on the global command and the outside command ? ie do you need to specify the outside interface name ie outside interface eth1 ?

Jon Marshall · ‎11-08-2007

Hi Carl

Sorry i missed this before.

To answer your first question. To create a static translation

static (inside,outside) 217.75.10.2 192.168.5.1 netmask 255.255.255.255

means - present the internal address of 192.168.5.1 as 217.75.10.2 to the outside of the pix.

As for the global command

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 217.66.10.5

means Nat all internal address to the ip address 217.66.10.5

using the command

global (outside) 1 interface

is just shorthand really to say NAT all inside addresses to the address of the pix outside interface. You don't need to use the actual physical interface name ie. eth1 because the pix/asa device refers to the eth1 interface as "outside".

Hope this makes sense

Jon