Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

A few ASA 8.4 config questions

I have a Internet-facing ASA5580 configured as the following. Can someone help me with a few config questions?

Outside IP: 192.100.100.2/24 (default gateway to 192.100.100.1)

Inside IP: 10.100.100.2, connecting to internal switch at 10.100.100.1

Internal network is in 10.0.0.0/8, including users and servers. Some servers will be static NAT'd and others will be PAT'd just like users.

1. Can I use multiple IP in 192.100.100.2/25 to PAT? for example PAT users in 10.100.0.0/16 to 192.100.100.10, PAT 10.110.0.0/16 to 192.100.100.11, and PAT servers in 10.120.0.0/16 to 192.100.100.12?

2. Can I use a different public subnet 192.100.101.0/24 to static NAT servers? No interfaces on ASA has IP in 192.100.101.0/24.

3. In relation to the last 2 questions, does NAT'd or PAT'd IP have to be in a subnet of any ASA interfaces or any public routable IP owned by me is ok?

4. HTTP inspection is in the default global inspection policy for TCP 80. Do I have to create a different policy to have inspection for HTTPS? I'm not sure if TCP inspection is in the global policy. If it is, I can just use that for HTTPS.

5. I have a internal subnet 10.50.100.1/24 allocated for remote VPN clients. If a user VPN in, then goes to Internet, his IP would be PAT'd like any other internal users. Is that right? I want to confirm there's nothing special I have to do in that case.

6. If some users want to be able to VPN into other companies from the internal network (via IPSec VPN or SSL VPN), what kind of access-list rules or NAT rules I need to check into?

Thanks a lot

2 REPLIES

A few ASA 8.4 config questions

Hello,

1. Can I use multiple IP in 192.100.100.2/25 to PAT? for example PAT users in 10.100.0.0/16 to 192.100.100.10, PAT 10.110.0.0/16 to 192.100.100.11, and PAT servers in 10.120.0.0/16 to 192.100.100.12?

Yes, You can do it using Policy Nat

2-Can I use a different public subnet 192.100.101.0/24 to static NAT servers? No interfaces on ASA has IP in 192.100.101.0/24.?

Yes, you can as soon as you configure the nat statement the ASA will start to proxy-arp those ip address not configured on any interface on the ASA.

3-In relation to the last 2 questions, does NAT'd or PAT'd IP have to be in a subnet of any ASA interfaces or any public routable IP owned by me is ok?

As I already said on my last answer, no, that is no need it.

4. HTTP inspection is in the default global inspection policy for TCP 80. Do I have to create a different policy to have inspection for HTTPS? I'm not sure if TCP inspection is in the global policy. If it is, I can just use that for HTTPS.

-The thing with HTTPS is that its traffic will be encrypted so the ASA will not be able to inspect some of the parameters included in the payload of each packet.

-By default the ASA will inspect the TCP and UDP protocols, the inspections that you see over this policy-map's is for additional parameters to check, additionals channels to be open,etc.

5-I have a internal subnet 10.50.100.1/24 allocated for remote VPN clients. If a user VPN in, then goes to Internet, his IP would be PAT'd like any other internal users. Is that right? I want to confirm there's nothing special I have to do in that case.

That is correct, but you will need to permit same-security intra-interface traffic for the U-turning traffic to work.

Also do a nat (outside,outside)

6-If some users want to be able to VPN into other companies from the internal network (via IPSec VPN or SSL VPN), what kind of access-list rules or NAT rules I need to check into?

There is a option to allow the VPN connections to bypass the ACL applied to a interface, you can see if its enabled by doing:

sh run all sysopt

If you see a syspot permit vpn-connections that will let you know that VPN connections (encrypted traffic that matches one of your tunnel-groups previously configured will be allowed by defautl so no concern for ACL's)

Do rate all the helpful posts from the support community.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

A few ASA 8.4 config questions

Thanks a lot Julio.

For remote VPN subnet, is it considered as attached to ASA outside interface or inside interface? It was a little confusing using nat (outside,outside) to PAT the VPN subnet when going to Internet.

My question #6 is actually about internal users using VPN to connect to other companies, not our remote users VPN to my ASA. I was wondering if I need to do anything special about that.

Thanks again

Gary

259
Views
0
Helpful
2
Replies
CreatePlease to create content