Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA NAT question

Dear Sir,

I have a question regarding NAT on Cisco ASA firewall version 7.2

I want to add ASA 5520 to my existing network, the purpose of this device is to perform only NAT to server inside my network

PIX 515-----

|

ASA5520 ---- Cisco 6509 Switch

The problem is that the default route in cisco 6509 is the PIX515, and I will not able to configure an addition default gate way to be the ASA5520.

I am think to configure NAT to translate the source of the traffic that intering the ASA from internet to a private pool, so I can configure static route to this pool in the 6509 switch.

So is it possible to do that.

In other meaning the purpose of the NAT will be:

1)Allow the external users to access the server from internet (publish the server to real IP)

2)Translate the source of the external users to internal pool

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ASA NAT question

YW ..

->> Is it secure to translate from outside to inside?

Sure, not an issue.

Regards,

Vibhor.

6 REPLIES
Community Member

Re: ASA NAT question

the Network will be ass follow:

PIX---------

|--6509

ASA---------

Silver

Re: ASA NAT question

I think your network is like this-

----Internet----

| |

ASA PIX

|-----6509-----|

|

Server

Assuming servers private IP is x.x.x.x and public IP mapping is to y.y.y.y, you

can apply following commands on ASA-

static (inside,outside) y.y.y.y x.x.x.10

access-list outin permit tcp any host y.y.y.y eq 80

access-group outin in interface outside

//Assuming that inside server is a webserver, else change the ACL accordingly.

access-list nat-outside permit ip any host y.y.y.y

nat (outside) 10 access-list nat-outside outside

global (inside) 10 x.x.x.20

Now anyone trying to access x.x.x.10 server through ASA, will get translated to

x.x.x.20 and replies will go through ASA. Hope this helps.

Regards,

Vibhor.

Community Member

Re: ASA NAT question

thank you for your concerns,

assume the real server IP is 1.2.3.4

server IP 172.16.1.10

internal Pool: 192.168.1.0/24

now i want when a user in the internet try to access the internal server, the source IP of packets when enter the ASA be translated to 192.168.1.0/24, and the destination be translated to 172.16.1.10.

so in 6509 i can translate static route to 192.168.1.0/24 through the ASA

Silver

Re: ASA NAT question

Following will translate the server from its real IP of 1.2.3.4 to 172.16.1.10 on outside interface.

static (inside,outside) 172.16.1.10 1.2.3.4

Outside users, when trying to access 172.16.1.10, will get translated to 192.168.1.0-254 addresses.

access-list nat-outside permit ip any host 172.16.1.10

nat (outside) 10 access-list nat-outside outside

global (inside) 10 192.168.1.1-192.168.1.253

global (inside) 10 192.168.1.254

HTH.

Regards,

Vibhor.

Community Member

Re: ASA NAT question

Thank you Vibhor,

Is it secure to translate from outside to inside.

Regards

Silver

Re: ASA NAT question

YW ..

->> Is it secure to translate from outside to inside?

Sure, not an issue.

Regards,

Vibhor.

248
Views
5
Helpful
6
Replies
CreatePlease to create content