09-11-2016 02:33 AM - edited 03-05-2019 04:40 AM
Hi Everyone,
I want to know that If any subnet is not directly configured on ASA on any interface. This subnet is coming from another router through VLAN routing. Can I configure NAT on ASA for this subnet ?
example configuration -
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
security-level 0
!
interface Vlan2
security-level 100
!
object network ASA-SW0
subnet 10.0.0.0 255.255.255.252
object network VLAN10
subnet 192.168.10.0 255.255.255.0
object network VLAN20
subnet 192.168.20.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 200.150.75.1 1
route inside 192.168.10.0 255.255.255.0 10.0.0.1 1
!
access-list LAN extended permit
access-list LAN extended permit
access-list LAN extended permit
!
!
access-group LAN in interface inside
object network ASA-SW0
nat (inside,outside) dynamic interface
object network VLAN10
nat (inside,outside) dynamic interface
object network VLAN20
nat (inside,outside) dynamic interface
!
!
!
!
-------------
Note: Subnet 192.168.10.0 and 192.168.20.0 is not directly configured on ASA and I want to configure NAT for that subnet also but not working.
Regards,
Deepak Kumar
Solved! Go to Solution.
09-11-2016 11:27 AM
I agree that Karsten has a much better solution. But I thought that the solution with per subnet nat rule should work and wondered why it did not work. In looking a bit more closely I notice that vlan 1 security level 0 and public IP is named inside while vlan 2 with security level 100 and the private IP is named outside. This mismatch will prevent either solution from working.
HTH
Rick
09-11-2016 03:47 AM
For sure you can. This is a typical configuration where the Firewall is connected to the core-switch with a transfer-network. Only the DMZ-networks are directly connected to the ASA, but all the internal networks are connected to the core-switch.
But you don't need a NAT-rule per internal VLAN. You can configure all with one simple rule:
nat (inside,outside) after-auto source dynamic any interface
09-11-2016 11:27 AM
I agree that Karsten has a much better solution. But I thought that the solution with per subnet nat rule should work and wondered why it did not work. In looking a bit more closely I notice that vlan 1 security level 0 and public IP is named inside while vlan 2 with security level 100 and the private IP is named outside. This mismatch will prevent either solution from working.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide