NATing on CISCO ASA outgoing interface

Unanswered Question
Dec 9th, 2009
User Badges:

Hi,


we are using Cisco ASA with LAN and DMZ ones. generally internet will get with Outside interface IP address which we can get the IP details. here i want to get NATed IP instead of outside interface IP.is it possible to do that?


For example, Outside interface IP is having 1.1.1.1 IP and 1.1.1.2 is free Public ip. for internal and external users they shold get 1.1.1.2 IP only. this is my requirement


Regards,

Yugandhar. M

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Wed, 12/09/2009 - 06:08
User Badges:
  • Gold, 750 points or more

Sure, if you want internal users to hide behind another address than the ASA's interface address, just do this :


global (outside) 1 1.1.1.2

nat (inside) 1


defining one address in the global statement will cause the ASA to do PAT translation with that address for the addresses defined in NAT (inside) 1, the number 1 in both global and nat statements is what binds them together.

yugandharm Wed, 12/09/2009 - 09:03
User Badges:

Hi Jan,


Thanks for your solution.


at the time of installation i have written NAT policy like


nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 1.1.1.1-1.1.1.4


is it ok or i need to add golbal policy once again as per suggession i.e


global (outside) 1 1.1.1.2

nat (inside) 1



Regards,

Yugandhar. M

jan.nielsen Wed, 12/09/2009 - 10:33
User Badges:
  • Gold, 750 points or more

Actually, if i remember correctly if you use a range, the ASA will do dynamic NAT 1-1 which means only the first 4 ppl to send traffic through will work, so you should just do the 1.1.1.2 global, you don't need more than one address for regular internet traffic nat'ing. You need to remove the "global (outside) 1 1.1.1.1-1.1.1.4" first and then put in, a line with only one address in it like "global (outside) 1 1.1.1.2"

yugandharm Wed, 12/09/2009 - 21:15
User Badges:

Hi Jan,


thanks alot for your solution.


Jan, i have one mor query that we are assigned 1.1.1.1 to outside interface and NATed with 1.1.1.2. at the same time can i use 1.1.1.3 for Mobile vpn users, to access the internal resources??


Regards,

Yugandhar. M

jan.nielsen Thu, 12/10/2009 - 08:55
User Badges:
  • Gold, 750 points or more

Sure you can, it's just another type of nat, known as a static nat. If you wan't external mobile users to be able to reach something inside using 1.1.1.3, do this :


lets say you wanted http/web traffic nat'ed towards an internal server :


static (inside,outside) tcp 1.1.1.3 80 80 netmask 255.255.255.255


and then allow the traffic in your outside access list to the 1.1.1.3 address.


If you want all ports nat'ed you would do :


static (inside,outside) 1.1.1.3 netmask 255.255.255.255


and then you only need to open the access in your outside access list.

yugandharm Thu, 12/10/2009 - 20:33
User Badges:

Hi jan


littlebit confusion. i didnot get you. Let me explain my required setup


for example i have 1.1.1.1, 1.1.1.2, 1.1.1.3 Public IPs.


as per my last query i assigned 1.1.1.1 to Outside interface and outside and inside users can see the IP 1.1.1.2. For this you given solution.


second one is, we arehaving Client to site Mobile vpn users they should connect to firewall or my internal by using 1.1.1.3 IP address only. i.e in VPN client setttings VPN server IP shold be 1.1.1.3.


This is my requirement JAN. please help me.


Regards,

Yugandhar. M

Kent Heide Mon, 12/14/2009 - 00:15
User Badges:

As far as I can read from your posts what you want is to use a different IP than the one on your outside interface for terminating Remote Access VPNs. Afaik and what's supported up until 8.2(1) this is not possible. You will need to have this IP on an interface to be able to enable it for isakmp.


If you have any available interfaces then create one and call it "nameif VPN" and give it the 1.1.1.3 address. (You will need a switch with a dedicated VLAN in between your CE router / modem for this to be doable).


If someone has a better solution I am curious about it as well :-)

vaba Wed, 02/24/2010 - 12:27
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

I have the same problem. My Outside IP address on physical interface is 1.1.1.2.

I need my VPN site-to-site to be terminated on IP 1.1.1.3 and I didn’t find a solution either.

Is it possible to use “policy NAT” and how? Is this a kind of solution of this problem without using switch and vlan interface?

Do you know where can I see or read if we need ip address on physical interface for ISAKMP?

Actions

This Discussion