Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5520 nat questions

Office network (INSIDE) need to access lab network (OUTSIDE)

---- and ----

lab network (OUTSIDE) need to access office network (INSIDE)

NOTE: lab network resides inside the office network but are considered "high risk", therefore they're placed on OUTSIDE interface (least secure)

Requirement:

permit ALL outside hosts (behind firewall) to have a nat'd address to inside

inside ip space avail: 172.16.186.0 /23

outside ip space avail: 10.25.186.0 /23

inside interface ip: 172.16.186.2 /23

(172.16.186.1 assigned to L3 switch routed interface)

outside interface ip: 10.25.186.1 /23

Q1: Is this correct NAT statement?

global (outside) 2 interface

global (inside) 1 interface

nat (outside) 1 10.25.186.0 255.25.254.0 outside

nat (inside) 2 0.0.0.0 0.0.0.0

Q2: Is this correct static statment to create one-to-one nat for each host?

static (inside,outside) 10.25.186.0 172.16.186.0 255.255.254.0

Q3: do i need to list EVERY outside host in an object-group if i want to assign an ACL to the entire ip range?

-- or --

can i just do something like this:

object-group network outside_users

network-object 10.25.186.0 255.255.254.0

Q4: Is there a simpler way to do this?

1 REPLY

Re: ASA5520 nat questions

ur config sound good

and about the Q3 u can use the

object-group network outside_users

network-object 10.25.186.0 255.255.254.0

good luck

104
Views
0
Helpful
1
Replies