cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
3
Replies

Help with "global" and "NAT"

mx
Level 1
Level 1

Hi. this is going to be a stupid question, and I do apologize, but I guess this is the place to learn :)

Im OK in setting up an ASA 99% but i *ALWAYS* get stuck on the global and nat statements. I have looked around for good explanations on it but Im not coming up with much. Cisco's site was so slow yesterday I eventually gave up.

I went to borders and bought the new ASA book ($75) and it doesnt even cover it!

Thanks in advance to any pointers, I appreciate it.

Bob

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

timkaye
Level 1
Level 1

Hello.

Check out the command references.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

There is really good (IMHO anyway) explanations of how and when to use the static statments along with the NAT and Globals.

Tim

Thank you both VERY much. Extremely helpful! It seems its less voodoo than I thought, mostly because it was never explained to me very well. I really appreciate it.. Im keeping those docs and your explanation on a text file on my desktop until I know it cold.

Thank you again.

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: