Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
2
Replies

NAT on ASA

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎09-11-2016 02:33 AM - edited ‎03-05-2019 04:40 AM

Hi Everyone,

I want to know that If any subnet is not directly configured on ASA on any interface. This subnet is coming from another router through VLAN routing. Can I configure NAT on ASA for this subnet ?

example configuration - 

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1

switchport access vlan 1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 0
ip address 200.150.75.2 255.255.255.252
!
interface Vlan2
nameif outside
security-level 100
ip address 10.0.0.2 255.255.255.252
!
object network ASA-SW0
subnet 10.0.0.0 255.255.255.252
object network VLAN10
subnet 192.168.10.0 255.255.255.0
object network VLAN20
subnet 192.168.20.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 200.150.75.1 1
route inside 192.168.10.0 255.255.255.0 10.0.0.1 1
!
access-list LAN extended permit tcp any any
access-list LAN extended permit udp any any
access-list LAN extended permit icmp any any
!
!
access-group LAN in interface inside
object network ASA-SW0
nat (inside,outside) dynamic interface
object network VLAN10
nat (inside,outside) dynamic interface

object network VLAN20
nat (inside,outside) dynamic interface
!
!
!
!

-------------

Note: Subnet 192.168.10.0 and 192.168.20.0 is not directly configured on ASA and I want to configure NAT for that subnet also but not working. 

Regards,

Deepak Kumar

www.deepuverma.in

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎09-11-2016 11:27 AM

I agree that Karsten has a much better solution. But I thought that the solution with per subnet nat rule should work and wondered why it did not work. In looking a bit more closely I notice that vlan 1 security level 0 and public IP is named inside while vlan 2 with security level 100 and the private IP is named outside. This mismatch will prevent either solution from working.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎09-11-2016 03:47 AM

For sure you can. This is a typical configuration where the Firewall is connected to the core-switch with a transfer-network. Only the DMZ-networks are directly connected to the ASA, but all the internal networks are connected to the core-switch.

But you don't need a NAT-rule per internal VLAN. You can configure all with one simple rule:

nat (inside,outside) after-auto source dynamic any interface
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎09-11-2016 11:27 AM

I agree that Karsten has a much better solution. But I thought that the solution with per subnet nat rule should work and wondered why it did not work. In looking a bit more closely I notice that vlan 1 security level 0 and public IP is named inside while vlan 2 with security level 100 and the private IP is named outside. This mismatch will prevent either solution from working.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card