Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
3
Replies

Firewall translations

thomastsam
Level 1
Level 1

‎11-30-2009 07:48 PM - edited ‎03-04-2019 06:50 AM

Hello,

I have done this exercise long time ago but I can't recollect how this was done and I was wondering if somebody could shed some ideas.

I have a machine in LAN with 10.10.x.xxx address scheme. I like to translate this address to another private address in 192.168.x.xxx subnet and map a public address to this NAT'd address. So it will look like:

Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx.

Machine is physically placed in 10.10.x.xxx subnet and I like the firewall to route requests coming from cloud >  public address > 192.168.x.xxx >10.10.x.xxx without physically placing the server in 192.168.x.xxx subnet.

Thanks in advance

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎12-01-2009 06:53 AM

It would be cleaner to translate the public to the 10 address, but I'll assume there is a reason that can't be done.

Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx

static (inside,outside) [public ip] 192.168.x.xxx netmask 255.255.255.255

On the next hop (in red)-

Cloud > Public Address> Firewall> 192.168.x.xxx > 10.10.x.xxx

static (inside,outside) [192.168.x.xxx] 10.10.x.xxx netmask 255.255.255.255

Hiope that helps.

0 Helpful

thomastsam
Level 1
Level 1
In response to Collin Clark

‎05-18-2011 06:24 AM

Hello,

I have a machine located in LAN with Class C private address. I have a perimeter network with its own address scheme.

I like to have the machine in LAN do a static mapping with the DMZ address, and then do a static mapping of DMZ address to the public address. I don't want to expose the machine identification by translating the internal address to public address. I want packets going out from DMZ address to Internet.

for example:

LAN > DMZ

DMZ > Public address

Public address > Internet

There won't be a physical machine located in DMZ. I like to have ASA perform all the translations and routing. If required, I can plug in an entry for DNS.

How could I acheive this?

Thanks in advance

0 Helpful

Florin Barhala
Level 6
Level 6
In response to thomastsam

‎05-18-2011 08:56 AM

static (Dmz, Lan) Lan_IP Dmz_IP netmask 255.255.255.255

static (Lan, Internet) tcp interface external_ port Lan_IP internal_port netmask 255.255.255.255

I assumed you can do a 1:1 NAT between LAN and DMZ as you afford wasting 2 private IP addresses, but for Lan to Internet you do just portforward for some ports.

Don't forget the firewall !!!

access-group Internet_in in interface Internet

access-group Dmz_in in interface DMZ


And the security level


interface Ethernet0/0
nameif Internet
security-level 0
ip address Internet_IP 255.255.255.192
!
interface Ethernet0/1
nameif Lan
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif Dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card