Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
4
Helpful
6
Replies

PAT and Static NAT on ASA

itindia
Level 1
Level 1

‎04-17-2008 12:31 AM - edited ‎03-11-2019 05:32 AM

Hi,

Need some config help on the ASA.

I got Lease line link on ethernet to my premises with following WAN IP.

i.e 122.x.x.114/30 and gateway 122.x.x.113.DNS server are 202.56.215.54 and 202.56.215.55.

Moreover I have pool of 16 ip adresses starting from 122.x.y.32/28-122.x.y.48/28.

I am planning network topology as following.

ISP--->ASA firewall(NAT Here)---->Switch--->Internal LAN.

My question is do I really need a router as i am getting link of ethernet int.I am planning to terminate the link on ASA ethernet int directly and PAT it there.So I am sure my 122.x.x.114/30 is to PATTED and traffic is to be routed to the remote gateway at ISP end i.e 122.x.x.113.

Even I want to use 5 server on public network.So I have to use 5 of the IP addresses out of the pool to STATIC NAT with my DMZ network.What the mask and subnet range is different than my PATTED IP.

Here want to understand will this work without a router in front of my ASA or ASA will serve the purpose.What is the command to provide dns IP on ASA (equivalent to ip name-server 202.56.215.54 on routers)?

Thanks in advance.

Reg,

Sushil

Labels:
0 Helpful
6 Replies 6

bauti1428
Level 1
Level 1

‎04-17-2008 06:17 AM

By default cisco asa is configured as a routed firewall and you should be able to put the ip address of your ISP provider and label it as outside. As for the command, sorry not familiar with commands only GUI. Configuration ->DNS->DNS Client->Add the DNS and below DNS lookup enable the interface for DNS lookup.

0 Helpful

itindia
Level 1
Level 1
In response to bauti1428

‎04-17-2008 09:51 AM

Thanks for your reply.Still not clear about routing stuff.As ISP has to sync with my end and oviously that they are doing with two IP's one at my end and other at their end having /30 mask.Thats what they call WAN IP.So I will need to route traffic through something like 0.0.0.0 0.0.0.0 122.x.x.113.

Now what about my pool of 16 IP address with /28 mask which I got.How and where to use these?NAT or PAT to which IP address i.e /28 or /30 address on ASA to my internal RFC1918 addresses?

In ASA or PIX there could be security level

say outside(0) for outside

inside (100) for inside

Confusion is that link of /30 on outside.192.168.0.0/24 on internal.Oviously link will come on outside and i should PAT with that ouside int with global command..

How can i use rest of my pool of IP's.Say statically natting in dmz with 172.16.20.0/16 with any of the ip.Will DMZ users will be able to go to internet or not?

Keeping in mind that mask on outside int is with /30 mask???

Need expert openion..

Reg,

Sushil

0 Helpful

sureshkum
Level 1
Level 1

‎04-17-2008 09:25 PM

1.you can terminat ISP directly to ASA without using Router.you can use PAT for ur internal users to go outside.

2.Static nat for 5 public servers

Bellow example for one Public server...

static (dmz,outside) 122.x.x.115 x.x.x.x netmask 255.255.255.255

Note:

Dmz--Ur server interface name

x.x.x.x-Ur server ip address

Being static nat mask will be 255.255.255.255

3.command to provide dns IP

dns name-server 202.56.215.54

dns name-server 202.56.215.55

0 Helpful

sureshkum
Level 1
Level 1

‎04-17-2008 09:31 PM

1.you can terminat ISP directly to ASA without using Router.you can use PAT for ur internal users to go outside.

2.Static nat for 5 public servers

Bellow example for one Public server...

static (dmz,outside) 122.x.x.115 x.x.x.x netmask 255.255.255.255

Note:

Dmz--Ur server interface name

x.x.x.x-Ur server ip address

Being static nat mask will be 255.255.255.255

3.command to provide dns IP

dns name-server 202.56.215.54

dns name-server 202.56.215.55

itindia
Level 1
Level 1
In response to sureshkum

‎04-17-2008 11:02 PM

Thanks Suresh for the info.Does this ok run like this.I never did it before as I used to get the link terminated on router and then used any of the IP out of the pool to PAT on firewall.Well seems as patting on router (with overload) and here with global command on ASA..

I am extremely thankful to you for this.Well what is the best way to config ASA.through ASDM or Command line?

Reg,

Sushil

0 Helpful

sureshkum
Level 1
Level 1
In response to itindia

‎04-18-2008 02:43 AM

Hi Sushil,

Glad..i could help.

Its better to keep ur ISP link in router rather than Firewall.Yes ur correct global in ASA.u can use Fw interface ip also for PAT.

User bellow link for ASA ver7.0 config throuh CLI

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/config.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card