cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
6
Replies

Dynamic NAT - Outside Interface. Is it possible?

cavemanbobby
Level 1
Level 1

I have a web server on our inside network (10.15.20.20) that I'd like to have receive responses from a /29 block of external IP addresses within my outside interface's IP block. So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?

I can get it to work with a 1-to-1 Static NAT translated/redirected to 10.15.20.20. But I can't seem to get that /29 to translate to the inside address. I've tried Dynamic Policy NAT, Dynamic NAT, with access list config attempts, but it just doesn't want to take.

I'm hearing rumblings that it's not possible, to which I'd be surprised as this is possible on other vendor's firewalls.

I attached my config with clear examples of what might be a futile attempt :)

Any thoughts would be appreciated.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Robert

If i understand you correctly, have a look at this thread -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB?cmd=pass_through&location=outline@^1@@.2cd2616a/6#selected_message

If i have misunderstood please let me know.

Jon

As you said "So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?"

you should translate your want any one who hits 222.222.222.176 to get translated to 10.15.20.20, if that is correct,

you need

ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20

svaish,

Thank you for your response. I tried doing that, but it won't let me give a netmask of 255.255.255.248 after my 222.222.222.176, which would fulfill my /29 external IP requirement.

By doing

ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20

Will only give me that one IP (.176) translated externally to the inside.

I needed all six IPs on the outside translated to one inside address.

I'll continue to plug away.

Cheers.

You understood correctly and thank you for the link. I had actually seen that thread earlier and from what it seems, I'm going to have to go that route.

I was trying to avoid having to create separate access lists for each as one of my requirements is going to be to have a complete /27 external IP to a single internal IP. That, from what I understand, is going to be 30 separate access lists. A bit tedious, but certainly doable.

Many thanks.

YOUR PUBLIC IP

222.222.222.176

222.222.222.177

222.222.222.178

222.222.222.179

222.222.222.180

222.222.222.181

222.222.222.182

YOUR inside server = 10.15.20.20

Configuration required

create six different access list like this

access-list a1 line 1 extended permit ip host 10.15.20.20 any

access-list a2 line 1 extended permit ip host 10.15.20.20 any

access-list a3 line 1 extended permit ip host 10.15.20.20 any

access-list a4 line 1 extended permit ip host 10.15.20.20 any

access-list a5 line 1 extended permit ip host 10.15.20.20 any

access-list a6 line 1 extended permit ip host 10.15.20.20 any

Apply Static command

static (Inside,outside) 222.222.222.176 access-list a1

static (Inside,outside) 222.222.222.177 access-list a2

static (Inside,outside) 222.222.222.178 access-list a3

static (Inside,outside) 222.222.222.179 access-list a4

static (Inside,outside) 222.222.222.180 access-list a5

static (Inside,outside) 222.222.222.181 access-list a6

May Help!

Stuart Hare
Level 1
Level 1

If your trying to do an Outside to Inside dynamic nat then yes this is possible.

You need to use the outside keyword at the end of your nat statement to tell the device its outside nat.

hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]

[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]

outside-If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside to identify the NAT instance as outside NAT.

Check out the link below maybe of assistance.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/cfgnat.html

Hopefully I have understood you :)

HTH

Stu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: