ASA5520 nat questions

Unanswered Question
Aug 14th, 2008
User Badges:

Office network (INSIDE) need to access lab network (OUTSIDE)


---- and ----


lab network (OUTSIDE) need to access office network (INSIDE)


NOTE: lab network resides inside the office network but are considered "high risk", therefore they're placed on OUTSIDE interface (least secure)


Requirement:

permit ALL outside hosts (behind firewall) to have a nat'd address to inside


inside ip space avail: 172.16.186.0 /23

outside ip space avail: 10.25.186.0 /23


inside interface ip: 172.16.186.2 /23

(172.16.186.1 assigned to L3 switch routed interface)

outside interface ip: 10.25.186.1 /23


Q1: Is this correct NAT statement?


global (outside) 2 interface

global (inside) 1 interface

nat (outside) 1 10.25.186.0 255.25.254.0 outside

nat (inside) 2 0.0.0.0 0.0.0.0


Q2: Is this correct static statment to create one-to-one nat for each host?


static (inside,outside) 10.25.186.0 172.16.186.0 255.255.254.0


Q3: do i need to list EVERY outside host in an object-group if i want to assign an ACL to the entire ip range?

-- or --

can i just do something like this:


object-group network outside_users

network-object 10.25.186.0 255.255.254.0


Q4: Is there a simpler way to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Thu, 08/14/2008 - 18:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ur config sound good


and about the Q3 u can use the

object-group network outside_users

network-object 10.25.186.0 255.255.254.0



good luck

Actions

This Discussion