11-30-2009 07:48 PM - edited 03-04-2019 06:50 AM
Hello,
I have done this exercise long time ago but I can't recollect how this was done and I was wondering if somebody could shed some ideas.
I have a machine in LAN with 10.10.x.xxx address scheme. I like to translate this address to another private address in 192.168.x.xxx subnet and map a public address to this NAT'd address. So it will look like:
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx.
Machine is physically placed in 10.10.x.xxx subnet and I like the firewall to route requests coming from cloud > public address > 192.168.x.xxx >10.10.x.xxx without physically placing the server in 192.168.x.xxx subnet.
Thanks in advance
12-01-2009 06:53 AM
It would be cleaner to translate the public to the 10 address, but I'll assume there is a reason that can't be done.
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx
static (inside,outside) [public ip] 192.168.x.xxx netmask 255.255.255.255
On the next hop (in red)-
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx
static (inside,outside) [192.168.x.xxx] 10.10.x.xxx netmask 255.255.255.255
Hiope that helps.
05-18-2011 06:24 AM
Hello,
I have a machine located in LAN with Class C private address. I have a perimeter network with its own address scheme.
I like to have the machine in LAN do a static mapping with the DMZ address, and then do a static mapping of DMZ address to the public address. I don't want to expose the machine identification by translating the internal address to public address. I want packets going out from DMZ address to Internet.
for example:
LAN > DMZ
DMZ > Public address
Public address > Internet
There won't be a physical machine located in DMZ. I like to have ASA perform all the translations and routing. If required, I can plug in an entry for DNS.
How could I acheive this?
Thanks in advance
05-18-2011 08:56 AM
static (Dmz, Lan) Lan_IP Dmz_IP netmask 255.255.255.255
static (Lan, Internet) tcp interface external_ port Lan_IP internal_port netmask 255.255.255.255
I assumed you can do a 1:1 NAT between LAN and DMZ as you afford wasting 2 private IP addresses, but for Lan to Internet you do just portforward for some ports.
Don't forget the firewall !!!
access-group Internet_in in interface Internet
access-group Dmz_in in interface DMZ
And the security level
interface Ethernet0/0
nameif Internet
security-level 0
ip address Internet_IP 255.255.255.192
!
interface Ethernet0/1
nameif Lan
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif Dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide