Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

mx
New Member

Help with "global" and "NAT"

Hi. this is going to be a stupid question, and I do apologize, but I guess this is the place to learn :)

Im OK in setting up an ASA 99% but i *ALWAYS* get stuck on the global and nat statements. I have looked around for good explanations on it but Im not coming up with much. Cisco's site was so slow yesterday I eventually gave up.

I went to borders and bought the new ASA book ($75) and it doesnt even cover it!

Thanks in advance to any pointers, I appreciate it.

Bob

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Help with "global" and "NAT"

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

3 REPLIES
Hall of Fame Super Blue

Re: Help with "global" and "NAT"

Hi Bob

No need to apologize, this is what NetPro is for.

A few examples might help

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The nat statement says that all IP addresses (0.0.0.0 0.0.0.0) received on the inside interface need to natted. The index number (1 in this example) ties it together with the global statement.

The global statement says to nat all addresses to the outside interface address of the ASA.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 interface

Note that the index number is important - in the above example no inside addresses would be natted because there is no correspondong global address.

nat (inside) 2 192.168.5.0 255.255.255.0

global (outside) 2 62.7.19.4

A few things have changed in the above example.

1) The index number is now 2. This is just to show you don't have to use index number 1 all the time.

2) Instead of matching all hosts in the nat statement we arenow matching all hosts in the class C subnet 192.168.5.0/24. You can be as precise or as wide open as you want in what you use in the nat statement.

3) Instead of using the interface address we are now using a separate address in the global statement. As long as this address is routable on the internet to your ASA this will work.

This is a very brief overview of nat/global. Please come back with any more questions.

HTH

Jon

New Member

Re: Help with "global" and "NAT"

Hello.

Check out the command references.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

There is really good (IMHO anyway) explanations of how and when to use the static statments along with the NAT and Globals.

Tim

mx
New Member

Re: Help with "global" and "NAT"

Thank you both VERY much. Extremely helpful! It seems its less voodoo than I thought, mostly because it was never explained to me very well. I really appreciate it.. Im keeping those docs and your explanation on a text file on my desktop until I know it cold.

Thank you again.

Bob

124
Views
0
Helpful
3
Replies