Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA NAT and Routing question

Hello,

I have a question about NAT and routing on the ASA. I am relatively new to ASA and am not sure if this will work or not. I have a pool of public IP's (209.x.x.x/28) that my ISP is routing to the external interface of my ASA. The IP they have assigned for the outside of the ASA is a 206.x.x.2/24 address with a default GW of 206.x.x.1. I plan on using NAT to allow my web/mail servers to be reached on the DMZ (192.168.x.x) using the 209.x.x.x addresses. However, I am not sure how to make this work since I am not arping on any interface for the 209.x.x.x addresses as they will be routed to the 206.x.x.2 address by the ISP. Do I just setup a NAT translation (on the external interface?) from the 209.x.x.x to the 192.168.x.x address and the ASA will figure it out?

Thanks for the help.

Todd

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA NAT and Routing question

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

2 REPLIES
Cisco Employee

Re: ASA NAT and Routing question

The ASa will figure it out, it will answer ARP requests for anything that it has configured in a "static" command. As long as th eISP routes the 209.x.x.x addresses straight to the ASA then it should all work fine.

You just need to add lines like the following:

static (dmz,outside) 209.x.x.x 192.168.x.x netmask 255.255.255.255

for each of your internal DMZ servers. Then an access-list to allow only SMTP/HTTP/etc through to those 209.x.x.x addresses.

access-list inbound permit tcp any host 209.x.x.x eq smtp

access-list inbound permit tcp any host 209.y.y.y eq http

access-group inbound in interface outside

New Member

Re: ASA NAT and Routing question

Thank you for your response.

However that is what I am confused about. The ASA will not be able to arp on the external int for the 209.x.x.x addresses, as the ISP is routing them to the 206.x.x.2 (ie: it expects the 206.x.x.2 to be a router..). So even if it does not arp directly on the external interface for the 209.x.x.x address, will it be able to nat it then route to my dmz?

Thank you,

Todd

106
Views
0
Helpful
2
Replies
CreatePlease login to create content