garyoh
asked on
Cisco ASA 5505 and Internet T1
my ISP provides an Adtran unit and manages it they public to private IP mappings. The ISP provides a range of IP's from AAA.AAA.AAA.123 to AAA.AAA.AAA.253 (merely for discussion's sake) They suggest our ASA outside is set to AAA.AAA.AAA.124 as their "side" is 123 and therefore unusable for us. So all I have to do is put in
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.124 if I understand that right, right?
That done, how do I enter the internal to external mappings, i.e.:
AAA.AAA.AAA.125 --> 192.168.1.12
AAA.AAA.AAA.126 --> 192.168.1.13
etc.
Thanks,
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.124 if I understand that right, right?
That done, how do I enter the internal to external mappings, i.e.:
AAA.AAA.AAA.125 --> 192.168.1.12
AAA.AAA.AAA.126 --> 192.168.1.13
etc.
Thanks,
ASKER
You are mostly right about my scenario.
So am I right about setting up the outbound traffic with the "route outside ..." command?
Second part:
I would prefer to understand how to add each internal note individually so that we could cause VPN users to use the VPN client while only NAT'ing a couple of existing NAT's to my outside vendors instead of leaving the entire range of ports open for the NATted IP's. Does this make any sense?
So am I right about setting up the outbound traffic with the "route outside ..." command?
Second part:
I would prefer to understand how to add each internal note individually so that we could cause VPN users to use the VPN client while only NAT'ing a couple of existing NAT's to my outside vendors instead of leaving the entire range of ports open for the NATted IP's. Does this make any sense?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
124 is ISP's gateway address..
Your private addresses are 192.168.1.12/24
So, you want to route all addresses via the external gateway address..
Now, we want to convert private addresses to public ones, that will require a NAT (network address translation).
So, for an ASA, try:
access-list outside_nat0_outbound extended permit ip object-group LANGROUP any
Where LANGROUP is an object group you have previously defined with the LAN addresses within..
then
nat (outside) 0 access-list outside_nat0_outbound outside
Which will use the outside interface address as the masked address.
You could, with that many external addresses, provide separate external addresses natted for specific addresses, but this will NAT the whole LAN segment..