Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
4
Replies

Natting issue

acharyr123
Level 3
Level 3

‎09-24-2008 08:56 PM - edited ‎03-09-2019 09:32 PM

Hi,

I have 1 ASA connected with L3 3550 switch in L3 mode. In ASA natting for inside & global outside is configured with proper static routing.

ENd user is being assigned with manual ip. The problem is whenever any end machine comes up in the network automatically it is natted with a public ip from global ip pool configured in the asa.

I blocked the netwbios ports in the switch using acl but still the problem persists.

any suggestion plz..

Labels:
0 Helpful
4 Replies 4

indsys
Level 1
Level 1

‎09-24-2008 09:36 PM

if you dont mind post your config.

regs

S.mohana sundaram

0 Helpful

acharyr123
Level 3
Level 3
In response to indsys

‎09-24-2008 10:00 PM

ASA:

===========================================

interface GigabitEthernet0/0

description @@@ Connected with Router Gig 0/0/1 @@@

nameif outside

security-level 0

ip address 125.20.1.2 255.255.255.224

!

interface GigabitEthernet0/1

description @@@ Connected with Core Switch @@@

nameif inside

security-level 100

ip address 192.168.255.5 255.255.255.252

!

interface GigabitEthernet0/2

description @@@ DMZ ZONE @@@

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.192

access-list 110 permit tcp any any eq 53

access-list 110 permit udp any any eq 53

access-list 110 permit tcp any any eq 80

access-list 110 permit tcp any any eq 443

access-list 110 permit tcp any any eq 25

access-list 110 permit tcp any any eq 110

access-list 110 permit icmp any any eq echo-reply

global (outside) 1 210.212.10.2-210.212.10.14 netmask 255.255.255.240

nat (inside) 1 192.168.10.0 255.255.255.0

access-group 110 in inerface outside

access-group 110 in inerface inside

access-group 110 in inerface dmz

route outside 0.0.0.0 0.0.0.0 125.20.1.1 1

route inside 192.168.0.0 255.255.0.0 192.168.255.6

=============================================

L3 Switch:

Int vlan 2

ip address 192.168.10.1 255.255.255.0

Int gi0/7

no switchport

ip address 192.168.255.6 255.255.255.252

description ### connected with firewall ###

ip route 0.0.0.0 0.0.0.0 192.168.255.5

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to acharyr123

‎09-25-2008 03:53 AM

based on ur config anydevice in network 192.168.10.0/24 want to go to the internet will use any available ip in ur pool

what u want to do exactly ?

0 Helpful

acharyr123
Level 3
Level 3
In response to Marwan ALshawi

‎09-25-2008 04:11 AM

The problem is: whenever any machine comes up with IP 192.168.10.0/24, it automatically gets natted & being asigned a free public ip from the pool.

If i want to access internet then only it should be natted. But in my case if a ping a local machine in the lan, then also using "sh xlate" command i can see that my local ip has been natted with a public ip.

0 Helpful
Customers Also Viewed These Support Documents