PAT and Static NAT on ASA

Unanswered Question

Hi,


Need some config help on the ASA.

I got Lease line link on ethernet to my premises with following WAN IP.

i.e 122.x.x.114/30 and gateway 122.x.x.113.DNS server are 202.56.215.54 and 202.56.215.55.

Moreover I have pool of 16 ip adresses starting from 122.x.y.32/28-122.x.y.48/28.


I am planning network topology as following.


ISP--->ASA firewall(NAT Here)---->Switch--->Internal LAN.


My question is do I really need a router as i am getting link of ethernet int.I am planning to terminate the link on ASA ethernet int directly and PAT it there.So I am sure my 122.x.x.114/30 is to PATTED and traffic is to be routed to the remote gateway at ISP end i.e 122.x.x.113.


Even I want to use 5 server on public network.So I have to use 5 of the IP addresses out of the pool to STATIC NAT with my DMZ network.What the mask and subnet range is different than my PATTED IP.


Here want to understand will this work without a router in front of my ASA or ASA will serve the purpose.What is the command to provide dns IP on ASA (equivalent to ip name-server 202.56.215.54 on routers)?


Thanks in advance.


Reg,

Sushil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
bauti1428 Thu, 04/17/2008 - 06:17
User Badges:

By default cisco asa is configured as a routed firewall and you should be able to put the ip address of your ISP provider and label it as outside. As for the command, sorry not familiar with commands only GUI. Configuration ->DNS->DNS Client->Add the DNS and below DNS lookup enable the interface for DNS lookup.

Thanks for your reply.Still not clear about routing stuff.As ISP has to sync with my end and oviously that they are doing with two IP's one at my end and other at their end having /30 mask.Thats what they call WAN IP.So I will need to route traffic through something like 0.0.0.0 0.0.0.0 122.x.x.113.


Now what about my pool of 16 IP address with /28 mask which I got.How and where to use these?NAT or PAT to which IP address i.e /28 or /30 address on ASA to my internal RFC1918 addresses?


In ASA or PIX there could be security level

say outside(0) for outside

inside (100) for inside



Confusion is that link of /30 on outside.192.168.0.0/24 on internal.Oviously link will come on outside and i should PAT with that ouside int with global command..


How can i use rest of my pool of IP's.Say statically natting in dmz with 172.16.20.0/16 with any of the ip.Will DMZ users will be able to go to internet or not?

Keeping in mind that mask on outside int is with /30 mask???


Need expert openion..


Reg,

Sushil



sureshkum Thu, 04/17/2008 - 21:25
User Badges:

1.you can terminat ISP directly to ASA without using Router.you can use PAT for ur internal users to go outside.


2.Static nat for 5 public servers


Bellow example for one Public server...


static (dmz,outside) 122.x.x.115 x.x.x.x netmask 255.255.255.255


Note:

Dmz--Ur server interface name

x.x.x.x-Ur server ip address

Being static nat mask will be 255.255.255.255


3.command to provide dns IP


dns name-server 202.56.215.54

dns name-server 202.56.215.55


sureshkum Thu, 04/17/2008 - 21:31
User Badges:

1.you can terminat ISP directly to ASA without using Router.you can use PAT for ur internal users to go outside.


2.Static nat for 5 public servers


Bellow example for one Public server...


static (dmz,outside) 122.x.x.115 x.x.x.x netmask 255.255.255.255


Note:

Dmz--Ur server interface name

x.x.x.x-Ur server ip address

Being static nat mask will be 255.255.255.255


3.command to provide dns IP


dns name-server 202.56.215.54

dns name-server 202.56.215.55


Thanks Suresh for the info.Does this ok run like this.I never did it before as I used to get the link terminated on router and then used any of the IP out of the pool to PAT on firewall.Well seems as patting on router (with overload) and here with global command on ASA..


I am extremely thankful to you for this.Well what is the best way to config ASA.through ASDM or Command line?


Reg,

Sushil

Actions

This Discussion