11-11-2014 09:54 PM - edited 03-11-2019 10:03 PM
Hello,
I have planning the deploy ASA while it have problem that there are parts of user with private IPs require NAT to Internet. And some of them using public IPs will directly assign to user.
I would like to check is it possbile they managed with single interface?
or I need to deploy it into 2 interface? one for NAT and another will handle to WAN IP user?
Thanks!
11-11-2014 10:39 PM
Yes, they can be managed using single WAN interface..
Example ASA interface IP 1.1.1.1 can be used for PAT and extra IP's 1.1.1.2 and 1.1.1.3 used for one to one NAT.
Thanks,
Prashant Joshi
11-12-2014 12:31 AM
Hello,
Thanks for your comment. Yes, old version of ASA or other band of firewall could able to procedure secondary interfaces as a gateway. (It may require to open another topic later on as I have many different subnets with different VLAN)
There should be more clear talking about network setup.
Three group of IP range:
a. WAN IP - used as a gateway to router
b. Production WAN IPs range - Used to assign user or server
c. private IP range - internal user
Requirement:
Internal User with Private IP range require to access Internet. But no need to map 1-to-1 NAT and external Internet will not able to direct access private LAN
Question:
Now is should require 3 interfaces? 1 for WAN, 1 as a DMZ and 1 for INSIDE?
Thanks!
11-12-2014 02:16 AM
Hi,
This should be possible by creating the interfaces on the ASA device and configuring the Interface PAT on the ASA device for the two internal Private Sub net for the internet access.
Now , that depends on which version you are on.
For ASA 8.2 and below:-
nat (inside) 1 0 0
nat (dmz) 1 0 0
global (outside) 1 interface
For ASA 8.3 +:-
object network obj-0.0.0.0
subnet 0 0
nat (inside,outside) dynamic interface
object network obj-0.0.0.0-1
subnet 0 0
nat (dmz,outside) dynamic interface
Let me know if you have any other queries.
Thanks and Regards,
Vibhor Amrodia
11-12-2014 09:12 PM
Hi,
Thanks and I think PAT should be workable for me.
But I have range of IP which using Internet IP which no need network translate. Still can be work into same interface?
Thanks!
11-12-2014 09:17 PM
Hi,
Yes , you can use Exempt NAT for those IP:-
For ex:-
object network obj-x.x.x.x
subnet x.x.x.x x.x.x.x
nat (inside,outside) source static obj-x.x.x.x obj-x.x.x.x
Thanks and Regards,
Vibhor Amrodia
11-11-2014 11:12 PM
Hi,
So you are saying that you would have LAN users in both private and public subnets? Have you previously used a Router as those subnets gateway or what is the situation?
A Cisco Router could handle "secondary" address on its interface while the ASA can not. In some older versions it was possible to configure the ASA so that it could act as a gateway for different subnets on a single interface but as its not possible anymore its not really an option to use older software ASA just for this purpose.
So as I said, if the situation is that you have 2 LAN subnets (private and public) you would either have to have their gateways configured on an actual router or have them in separate ASA interfaces.
Though you did not mention is the public subnet meant for the users the only public subnet allocated to you or do you have another public subnet on the WAN edge of the ASA? If you do not have any other public subnet then you would have to further subnet the existing subnet that would enable you to split one part of the public address space to the actual users and one to the WAN interface of the ASA. And since in that case the next hop device from ASA would most likely be an ISP device you would also have to work with them to make sure that they use the same subnet between them and your ASA and also route the other (split) subnet towards your ASA WAN interface IP address so that connections for the LAN users in public subnet would also work.
With regards the ASA NAT configurations the most important thing in new software levels (8.3+) is that you make sure that there is no NAT configurations that would perform NAT for the public subnet so they can connect to the Internet directly with their actual configured IP addresses.
Let me know if I understood something wrong.
Hope this helps :)
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: