Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
4
Helpful
4
Replies

ASA 5500 and static 1-to-1 nats

Go to solution
staffordrau
Level 1
Level 1

‎11-16-2006 04:59 PM - edited ‎02-21-2020 01:18 AM

We currently have a failover pair of ASA 5500s providing firewalling & nat with inside, outside, and dmz interfaces. We're doing interface PAT for the bulk of internal to external connections, and static 1-to-1 nats for specific inside hosts that need to accept connections from the outside. The static nat space is a /27 that includes the address of the external interface. This is all working correctly.

However, we are out of space for static NATs in that /27. I'd like to be able to add a different network, likely another /27, for more static NATs but am having a difficult time figuring out the best way to do this. Can this be done with a network that doesn't include the outside interface on the ASAs?

Here's a portion of our current NAT config:

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

static (dmz1,outside) dmz1-net dmz1-net netmask 255.255.255.224

static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255

static (inside,outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255

static (inside,outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255

static (inside,outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255

Thanks much...

0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
zubairjalal
Level 1
Level 1

‎11-22-2006 10:24 AM

Hi.

I guess you are trying to implement static nat with a Public IP range which does not reside on the PIX itself. This can be done and this is where "proxy arp" comes into picture. All you need to have is appropriate routes configured on the edge router for the specific ip's that you are natting and destined towards the outside interface of the pix.

sysopt proxyarp outside

Go to solution
staffordrau
Level 1
Level 1
In response to zubairjalal

‎11-30-2006 11:14 AM

That's exactly what I'm trying to do. Unfortunately, that command doesn't seem to be supported:

idc-asa5510-01(config)# sysopt proxyarp outside

^

ERROR: % Invalid input detected at '^' marker.

idc-asa5510-01(config)# exit

idc-asa5510-01# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(4)

Device Manager Version 5.0(4)

This is on a pair of ASA5510s.

Thanks,

--Stafford

0 Helpful

Go to solution
zubairjalal
Level 1
Level 1
In response to staffordrau

‎11-30-2006 08:02 PM

Hi

The correct syntax for enabling proxyarp will be

no sysopt noproxyarp outside

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9e9.html#wp1111405

0 Helpful

Go to solution
staffordrau
Level 1
Level 1
In response to zubairjalal

‎12-01-2006 10:55 AM

Excellent! That did the trick, and was the one missing piece of the puzzle.

Cisco - that's horrible syntax. Double negative, anyone?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card