Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 9.1 Nat internal Subnet to another External IP

I'm very new to the 9.1 code and struggling with the new NAT translation. I'll try to explain the best I can what I'm wanting to do.  For testing I can do everything via CLI or ASDM but in the end I will have to convert any command over to Cisco Security Manager because that is what we use to manage all our firewalls.

Currently we have a public IP address lets say x.x.x.5.  I have another public IP x.x.x.6 that I want all my internal workstation to use for going out to the Internet.  Basically when I go to whatsmyip from a workstation I want it to show x.x.x.6.

Normally in 8.2 code I would use a pool on the public interface with x.x.x.6 and assign in the internal subnet's to it.  However in 9.1 code it not as simple at least from what I'm seeing.

What I would like to do is so something like this:

     Private Interface subnet 172.28.0.0 (LAN1) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)

     Private Interface subnet 172.27.0.0 (LAN2) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)

Here is my current nat:

nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

Here is the packet-trace and as you can see in Phase 3 Nat bypasses the my rule and uses per-session.

firewall01# packet-tracer input private tcp 172.28.2.1 1024 8.8.8.8 2334

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         public

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_private in interface private
access-list CSM_FW_ACL_private extended permit ip object Server_Vlan any4
access-list CSM_FW_ACL_private remark Allow All Traffic on the Internet Vlan outbound
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
             
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPSTraffic
match any
policy-map CSM_PM_1
class IPSTraffic
  ips inline fail-open
service-policy CSM_PM_1 interface public
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 244, packet dispatched to next module

Result:
input-interface: private
input-status: up
input-line-status: up
output-interface: public
output-status: up
output-line-status: up
Action: allow

Any help would be appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

ASA 9.1 Nat internal Subnet to another External IP

Here is the correct configuration:

enable

config t

no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

object network Public_Nat_6

host X.X.X.6

nat (private,public) after-auto source dynamic any Public_Nat_6

Value our effort and rate the assistance!
3 REPLIES
Silver

ASA 9.1 Nat internal Subnet to another External IP

Here is the correct configuration:

enable

config t

no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

object network Public_Nat_6

host X.X.X.6

nat (private,public) after-auto source dynamic any Public_Nat_6

Value our effort and rate the assistance!
New Member

ASA 9.1 Nat internal Subnet to another External IP

Jumora,

Thank you for the quick reply, I have tried your config and it looks like you have put me on the right track.  Really appreciate the help!

Silver

ASA 9.1 Nat internal Subnet to another External IP

I am sorry but I am not CSM knowledgeable but if you can do reverse engineering the configuration should be something similar to what you see on the ASDM. Regarding the object I would suggest to keep the separate.

Value our effort and rate the assistance!
400
Views
0
Helpful
3
Replies