Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
2
Replies

NAT Statements

Go to solution
dianewalker
Level 1
Level 1

‎05-08-2010 08:53 PM

We have a new ASA 5510.  We are not sure of the basic configurations.   We want to use the ASA as a firewall and VPN.  For the VPN, we are going to setup group policies for the VPN client.  There is no router between the ASA and the internal networks.  Here is the basic configuration.  Do you see anything wrong?  Is there anything else that we need to setup in terms of routing?

1.  The outside IP address is 66.102.7.17, network mask 255.255.255.248, gateway 66.102.7.22.   Is this what we would enter on the Outside interface?

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.17 255.255.255.0

2.  We  want to NAT each private IP address to each public IP address.  The public IP addresses are from 209.145.25.1 - 209.145.25.62, subnet mask 255.255.255.192.   Are these the correct NAT statements?

static (Inside,Outside) 209.145.25.1 192.168.100.1 netmask 255.255.255.255
static (Inside,Outside) 209.145.25.2 192.168.100.2 netmask 255.255.255.255
static (Inside,Outside) 209.145.25.3 192.168.100.3 netmask 255.255.255.255
static (Inside,Outside) 209.145.25.4 192.168.100.4 netmask 255.255.255.255
static (Inside,Outside) 209.145.25.5 192.168.100.5 netmask 255.255.255.255

3.  This is the Route Outside statement.  Does it look correct?  The IP address 66.102.7.22 is the default gateway of 66.102.7.17 which is the outside interface of ASA

route Outside 0.0.0.0 0.0.0.0 66.102.7.22 1

3.  Since the outside interface of the ASA  and the public IP addresses are on different networks, do we need another route statement?

Thanks.

Diane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-08-2010 08:57 PM

Diane,

Everything is correct with these exceptions:

1. Change the mask

interface e0/0
no ip add
ip address 66.102.7.17 255.255.255.248

2. Since the public IPs are on a different subnet than the outside IP of the ASA, you need to make sure the ISP knows how to send
to the ASA the traffic intended to those IPs.

Hope to help.

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-08-2010 08:57 PM

Diane,

Everything is correct with these exceptions:

1. Change the mask

interface e0/0
no ip add
ip address 66.102.7.17 255.255.255.248

2. Since the public IPs are on a different subnet than the outside IP of the ASA, you need to make sure the ISP knows how to send
to the ASA the traffic intended to those IPs.

Hope to help.

Federico.

0 Helpful

Go to solution
Kent Heide
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-09-2010 03:06 AM

The ISP has most likely allocated you a range to use for statics and these are

published into the ISP's routing table from your CPE interface. The moment you add those statics in your ASA it will act as a proxy-arp for those IPs. In other words making it work :-)

The rest of your config looks ok.

0 Helpful
Customers Also Viewed These Support Documents