Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
1
Replies

NAT Rules

Eggzter100
Level 1
Level 1

‎06-25-2010 03:14 AM - edited ‎03-11-2019 11:03 AM

Hi all,

At present I'm installing a ASA firewall between my 2811 router and the network.

The router at the moment has an internal ip address of 192.9.200.253 and has NAT rules set up. The 192.9.200.254 address is that of our exchange server. My question is this. If I change the internal interface of the router to 10.10.10.10 and the external interface of the ASA to 10.10.10.11 and the internal interface of the ASA has the 192.9.200.253 address, what do I do about the NAT rules?

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.9.200.254 25 *.*.*.*25 route-map Deny-VPN extendable

ip nat inside source static tcp 192.9.200.254 80 *.*.*.* 80 route-map Deny-VPN extendable

ip nat inside source static tcp 192.9.200.254 143 *.*.*.* 143 route-map Deny-VPN extendable

!

ip access-list extended Deny-VPN

permit ip 192.9.200.0 0.0.1.255 6.0.0.0 0.0.255.255

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.9.200.0 0.0.0.255 6.0.0.0 0.0.255.255

access-list 105 deny   ip 192.9.200.0 0.0.1.255 172.31.0.0 0.0.255.255

access-list 105 permit ip 192.9.200.0 0.0.0.255 any

!

route-map Deny-VPN deny 10

match ip address Deny-VPN

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

I've attached the complete config below

Regards

Egg

Labels:
68294-Cisco 2811 config Cleaned.txt.zip
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-25-2010 06:05 AM

You are just changing the interface of the router from 192.9.200.253 to 10.10.10.10, as far as the NAT statement is concern, you do not need to change anything. All you need to do on the router is to configure route for 192.9.200.0/24 subnet to point towards the ASA external ip address (10.10.10.11).

Assuming you are having the following topology:

Internal network (192.9.200.0/24) -- (Inside) ASA (Outside) -- (Inside) router (Outside) -- Internet

On the ASA, you would need to configure NAT exemption, or a static statement to itself.

Example:

static (inside,outside) 192.9.200.0 192.9.200.0 netmask 255.255.255.0

OR/ alternatively

access-list nonat permit ip 192.9.200.0 255.255.255.0 any

nat (inside) 0 access-list nonat

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card