Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 internet access for secondary internal network

I have an ASA 5510 with 1 outside interface configured and 1 inside interface 172.16.1.1, there is a MPLS router on the inside that routes to several differant location. My phone system is on the inside but runs on the 192.168.1.0 network and it needs access to the internet.

From the phone network I can ping the MPLS router 192.168.1.1 and the firewall 172.16.1.194 but can not get internet.

I had to add this route to the firewall to be able to ping it from the phone network

route inside 192.168.1.0 255.255.255.0 172.16.1.191 (MPLS router)

I think that it might be an issue with nat and tried adding a inside,inside nat rule but i probably did it wrong.

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5510 internet access for secondary internal network

Hi,

We would really need to see the NAT configurations or atleast know the current software version of the firewall.

But to give you an example

Software Level 8.2 and below

You might have an existing basic Dynamic PAT configuration like below

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

To enable Dynamic PAT for the other local networks you could simply add

nat (inside) 1 192.168.1.0 255.255.255.0

Software Level 8.3 and above

You could configure Dynamic PAT for all your internal networks with

nat (inside,outside) after-auto source dynamic any interface

Or if you want to specify the networks specifically and allow the source addresses from multiple source interfaces on a single command, then you could use

object-group network PAT-SOURCE

network-object 172.16.1.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

- Jouni

2 REPLIES
Super Bronze

ASA 5510 internet access for secondary internal network

Hi,

We would really need to see the NAT configurations or atleast know the current software version of the firewall.

But to give you an example

Software Level 8.2 and below

You might have an existing basic Dynamic PAT configuration like below

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

To enable Dynamic PAT for the other local networks you could simply add

nat (inside) 1 192.168.1.0 255.255.255.0

Software Level 8.3 and above

You could configure Dynamic PAT for all your internal networks with

nat (inside,outside) after-auto source dynamic any interface

Or if you want to specify the networks specifically and allow the source addresses from multiple source interfaces on a single command, then you could use

object-group network PAT-SOURCE

network-object 172.16.1.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

- Jouni

New Member

ASA 5510 internet access for secondary internal network

That fixed it.

network object PHONES

     subnet 192.168.1.0 255.255.255.0

     nat (inside,outside) dynamic interface

655
Views
0
Helpful
2
Replies