11-30-2009 07:48 PM - edited 03-04-2019 06:50 AM
Hello,
I have done this exercise long time ago but I can't recollect how this was done and I was wondering if somebody could shed some ideas.
I have a machine in LAN with 10.10.x.xxx address scheme. I like to translate this address to another private address in 192.168.x.xxx subnet and map a public address to this NAT'd address. So it will look like:
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx.
Machine is physically placed in 10.10.x.xxx subnet and I like the firewall to route requests coming from cloud > public address > 192.168.x.xxx >10.10.x.xxx without physically placing the server in 192.168.x.xxx subnet.
Thanks in advance
12-01-2009 06:53 AM
It would be cleaner to translate the public to the 10 address, but I'll assume there is a reason that can't be done.
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx
static (inside,outside) [public ip] 192.168.x.xxx netmask 255.255.255.255
On the next hop (in red)-
Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx
static (inside,outside) [192.168.x.xxx] 10.10.x.xxx netmask 255.255.255.255
Hiope that helps.
05-18-2011 06:24 AM
Hello,
I have a machine located in LAN with Class C private address. I have a perimeter network with its own address scheme.
I like to have the machine in LAN do a static mapping with the DMZ address, and then do a static mapping of DMZ address to the public address. I don't want to expose the machine identification by translating the internal address to public address. I want packets going out from DMZ address to Internet.
for example:
LAN > DMZ
DMZ > Public address
Public address > Internet
There won't be a physical machine located in DMZ. I like to have ASA perform all the translations and routing. If required, I can plug in an entry for DNS.
How could I acheive this?
Thanks in advance
05-18-2011 08:56 AM
static (Dmz, Lan) Lan_IP Dmz_IP netmask 255.255.255.255
static (Lan, Internet) tcp interface external_ port Lan_IP internal_port netmask 255.255.255.255
I assumed you can do a 1:1 NAT between LAN and DMZ as you afford wasting 2 private IP addresses, but for Lan to Internet you do just portforward for some ports.
Don't forget the firewall !!!
access-group Internet_in in interface Internet
access-group Dmz_in in interface DMZ
And the security level
interface Ethernet0/0
nameif Internet
security-level 0
ip address Internet_IP 255.255.255.192
!
interface Ethernet0/1
nameif Lan
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif Dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: