static natting using virtual ip range on inside network

Answered Question
Aug 27th, 2010
User Badges:

ASA 5520

ver 8.2.2


I read that can use a virtual ip range to do static nats between inside and outside network

Can someone assist with a short config on how this is done?


inside:  192.168.195.201 /29

outside: 10.25.41.1 /27

virtual ip range:  192.168.191.160 /27

Correct Answer by andhingr about 6 years 11 months ago

Please add the following to your network in additon to changes (except the routing statement) I suggested in my previous response


nat (outside) 1 10.25.41.0 255.255.255.224 outside

global (inside) 1 interface


with the above configuration when 10.25.41 network is trying to access your inside network ASA will translate the source address to inside interface of ASA when sending the traffic to inside network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andhingr Fri, 08/27/2010 - 11:24
User Badges:
  • Cisco Employee,

You can use regular static nat to accomplish this


static(inside,outside) netmask


However since your outside interface is in different ip range and outbound packets will use source address from the 192.168.191.x so your upstream should have a route pointing to ASA outside interface as the next hop for return packets.


Hope this help!


- AD

tsrader Fri, 08/27/2010 - 12:03
User Badges:

Is this a correct config?  Thanks for your reply.


outside host (10.25.41.4) needs to access inside host (192.168.195.204)


inside:  192.168.195.201 255.255.255.248

outside:  10.25.41.1 255.255.255.224

virtual ip range:  192.168.191.160 255.255.255.224


static (inside,outside) 192.168.191.164 192.168.195.204 netmask 255.255.255.255


access-list outside_in permit tcp host 192.168.195.204 10.25.41.4 netmask 255.255.255.255



static router on internal L3 router:

ip route 192.168.191.160 255.255.255.224 192.168.195.201

andhingr Fri, 08/27/2010 - 12:14
User Badges:
  • Cisco Employee,

Couple of corrections


change

access-list outside_in permit tcp host 192.168.195.204 10.25.41.4  netmask 255.255.255.255


to


access-list outside_in permit tcp host 10.25.41.4 host 192.168.195.204


static router on internal L3 router:

ip route 192.168.191.160  255.255.255.224 192.168.195.201


to


ip route 192.168.191.160  255.255.255.224 10.25.41.1

tsrader Fri, 08/27/2010 - 16:18
User Badges:

Thanks Anil but unfortunately it didnt work.  I've provide clarification and partial config.


Can anyone tell me what I'm doing wrong and provide configuration guidance???


---------------------------------------------------------------


Inside network consists of multiple networks:


192.168.191.0
192.168.192.0
192.168.193.0
192.168.194.0
etc
etc
etc


- Host on outside network (10.25.41.10) wants to access host on inside network (192.168.194.10) via RDP (tcp/3389)
- host on inside network (192.168.193.25) wants to access host on outside network (10.25.41.20) via vnc (tcp/5900)



As IP range created for inside interface is VERY small (6 hosts), I'm forced to use a routable ip address range from inside network to permit more than
6 hosts.  192.168.191.160 /27 will be used to create static nats


fw inside:  192.168.195.220 /29
fw outside:  10.25.41.1 /27
virtual range:  192.168.191.161 - .190 /27


I'm confused on how to create the static nat using the virtual ip range.


-----------------------------


ASA Version 8.2(2)
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.195.220 255.255.255.248
!


--------------  access-list to permit outside to inside host access  --------------


access-list outside_access_in extended permit tcp host 10.25.41.4 host 192.168.194.10 eq 3389
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400


--------------  create static nat --------------
static (inside,outside) 10.25.41.4 192.168.191.164 netmask 255.255.255.255
--------------------------------------------------------------------------
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside


route inside 192.168.0.0 255.255.0.0 192.168.195.217 1        <<<<   directly connected to L3 switch running HSRP



Note that ASA is connected to L3 switch and it has the following static route:


ip route 192.168.191.160 255.255.255.224 192.168.195.220

andhingr Fri, 08/27/2010 - 16:49
User Badges:
  • Cisco Employee,

I'm not sure If I understood your problem description correctly. Now after getting your config

I understand your topology is


outside (10.25.41 network)--------------10.25.41.1--ASA--inside (192.168.195.220)--------L3switch range (192.168.191.0-192.168.194.0)


with the configure static as below


static  (inside,outside) 10.25.41.4 192.168.191.164 netmask  255.255.255.255


Are you trying to access 10.25.41.4 from outside host so when the packet reaches to ASA it will get translated to 192.168.191.164. If this is correct then you should change your outside access-list from


access-list outside_access_in extended permit tcp host 10.25.41.4 host  192.168.194.10 eq 3389


to


access-list outside_access_in extended permit tcp host 10.25.41.4 eq 3389


you should also change your static route on l3 switch


from


ip route 192.168.191.160 255.255.255.224 192.168.195.220


to


ip route 10.25.41.0 255.255.255.0 192.168.195.220

tsrader Fri, 08/27/2010 - 17:25
User Badges:

Thanks again Anil.


In our network configuration - the outside network is 10.25.41.x.   The inside network does NOT route ANY 10.x.x.x address whatsoever that is why I have the ip route statement on the L3 switch as it is:


In order for the inside network to send the 192.168.191.160 traffic back to the ASA, it is my thinking that the L3 switch just needs to send it to the next hops --- which is the inside interface of the firewall.  Am I correct?


In my case, the outside host (10.25.41.4) is trying to access 192.168.193.x host via RDP.


Thanks again for your help and I await your response.

Correct Answer
andhingr Fri, 08/27/2010 - 17:33
User Badges:
  • Cisco Employee,

Please add the following to your network in additon to changes (except the routing statement) I suggested in my previous response


nat (outside) 1 10.25.41.0 255.255.255.224 outside

global (inside) 1 interface


with the above configuration when 10.25.41 network is trying to access your inside network ASA will translate the source address to inside interface of ASA when sending the traffic to inside network.

Actions

This Discussion