We have yet another network installs using an ISP who offers DHCP through a cable modem for our external WAN interface.
I good with the DHCP commands on the external interface as IP Address DHCP setroute
My question - is there a way to setup NAT to use this DHCP one public address for all NAT/devices, servers we have? - If so any documentation, video /or config file for doing this
I'm not sure what's required after we set the external interface to use DHCP from our ISP, any help or guidance will help
Solved! Go to Solution.
Do you mean how to configure Dynamic PAT so that all LAN users can access the Internet?
That naturally depends on your software version of the ASA
8.2 and below
global (outside) 1 interface
nat (inside) 1
8.3 and above
object-group network DEFAULT-PAT-SOURCE
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
- Jouni, my friend
No - we have only one public IP address given to us from our Time Warner ISP, we have several servers we plan to NAT to the outside but we can't assign each a separate public address when we setup NAT, or when we setup the object for each server.
Do you Any way possible to have all servers use the WAN interface ISP DHCP to our servers, giving users on the outside access to our web servers.
Also is it possible to do remote VPN for our users with the WAN interface configured with DHCP
Thank you Sir
Well the first problem with this case is the fact that you have a DHCP IP address from the ISP. So it might change every now and then, though in some cases it might stay the same for a long time.
I guess you can use Dynamic DNS to help you with that but I have not personally had the need to set one up ever so I am not sure if I can help you much with that. Though there are numerous resources for that if you look around the Internet.
You can naturally use Static PAT to forward certain ports to your multiple servers using the single public IP address.
The thing is, you can use the same public port twice in the configuration. So if you for example plan to allow HTTP connections to multiple servers then the port TCP/80 can only be forwarded to a single server and the next server has to use some other public port.
How many servers do you have and what services are you planning to forward to them?
And what is the software level on the ASA?
Also I want to confirm that the public IP address is gotten by the ASA through DHCP and not the ISP device in front of it?
I will change out the network hardware we have based on what you said.
I will move the Time Warner Cable modem over to our internal users to the internet access for them, to have all internal users use this as their internet access, protecting them through the firewall and allowing me to use the other ISP for our servers; we have a class C Public subnet on that one.
Back to the cable modem - ASA we see the external interface now receiving public address from Time Warner 71.76.35.x
Let me ask what's required to configure this ASA for all users to use for internet access only, we have wired Lan users, and we have one wireless access point that give them an internal address on the 192.168.5.x network, we configure the wireless access point to point to the ASA for its default gateway?
How would we configure the ASA to allow our internal LAN wired users, and our Wireless LAN users, any documentation, video or config showing how to make this happen...?
Thank you my friend
Depending on your ASA software level, you can configure Dynamic PAT for the LAN users based on the examples I mentioned in the first reply.
In your case if you have already configured the LAN and WAN interfaces then probably only things you might be missing is the above mentioned Dynamic PAT and perhaps some Routing and ACL related configuration.
I don't personally use any documentation for the basic configuration so can't think of any source at the moment. I would imagine though that there is a lot of guides online that you can find through Google or even instructional videos on Youtube. And naturally if you configuration isnt working you can always show it here and ask for advice.
Perfect, will do some Google searches
Jouni, you have helped me three or more times this year in many different ASA configurations, thank you for all the help.
You will be on vacation next week, will you allow me to buy you lunch at any location you choose, the only thing is call me from at 864)910-2778 and I will give the waiter or cashier my credit card information, my way to say thanks for all the amazing help you give.
Thank you my friend
My offer stands - just call me any time EST and lunch is on me.
We really appreciate having people like you who have the technical ability to help us who have much less.
Have a nice quiet vacation my friend