11-16-2006 04:59 PM - edited 02-21-2020 01:18 AM
We currently have a failover pair of ASA 5500s providing firewalling & nat with inside, outside, and dmz interfaces. We're doing interface PAT for the bulk of internal to external connections, and static 1-to-1 nats for specific inside hosts that need to accept connections from the outside. The static nat space is a /27 that includes the address of the external interface. This is all working correctly.
However, we are out of space for static NATs in that /27. I'd like to be able to add a different network, likely another /27, for more static NATs but am having a difficult time figuring out the best way to do this. Can this be done with a network that doesn't include the outside interface on the ASAs?
Here's a portion of our current NAT config:
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz1,outside) dmz1-net dmz1-net netmask 255.255.255.224
static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255
static (inside,outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255
static (inside,outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255
static (inside,outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255
Thanks much...
Solved! Go to Solution.
11-30-2006 08:02 PM
Hi
The correct syntax for enabling proxyarp will be
no sysopt noproxyarp outside
11-22-2006 10:24 AM
Hi.
I guess you are trying to implement static nat with a Public IP range which does not reside on the PIX itself. This can be done and this is where "proxy arp" comes into picture. All you need to have is appropriate routes configured on the edge router for the specific ip's that you are natting and destined towards the outside interface of the pix.
sysopt proxyarp outside
11-30-2006 11:14 AM
That's exactly what I'm trying to do. Unfortunately, that command doesn't seem to be supported:
idc-asa5510-01(config)# sysopt proxyarp outside
^
ERROR: % Invalid input detected at '^' marker.
idc-asa5510-01(config)# exit
idc-asa5510-01# sh ver
Cisco Adaptive Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)
This is on a pair of ASA5510s.
Thanks,
--Stafford
11-30-2006 08:02 PM
Hi
The correct syntax for enabling proxyarp will be
no sysopt noproxyarp outside
12-01-2006 10:55 AM
Excellent! That did the trick, and was the one missing piece of the puzzle.
Cisco - that's horrible syntax. Double negative, anyone?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: