Cisco ASA 5505 and Internet T1

my ISP provides an Adtran unit and manages it they public to private IP mappings. The ISP provides a range of IP's from AAA.AAA.AAA.123 to AAA.AAA.AAA.253 (merely for discussion's sake) They suggest our ASA outside is set to AAA.AAA.AAA.124 as their "side" is 123 and therefore unusable for us. So all I have to do is put in
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.124 if I understand that right, right?
That done, how do I enter the internal to external mappings, i.e.:
AAA.AAA.AAA.125 --> 192.168.1.12
AAA.AAA.AAA.126 --> 192.168.1.13
etc.
Thanks,
garyohAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
debuggerauConnect With a Mentor Commented:
you will always require a default route in 99% of cases, so yes, you were right..

however:
VPN users to use the VPN client while only NAT'ing a couple of existing NAT's to my outside vendors
Not sure I follow this, but I suspect you are wanting outside clients with a VPN client to get access to internal resources..
Its called a remote access VPN.
They will by definition, be translating an address, however this is from the VPN pool that is configured internally from another range, most people make the mistake of using the internal address scheme to set VPN clients by, but you'll be reminded to allocate a dedicated subnet for this purpose.

The Nat, that I talk about should convert LAN clients, to an external address when they browser outside the network (internet).
Since private addresses are not routed over the internet, they are only good internally.

If you are looking at a site to site VPN (slightly different) in that they are permanent connections to vendors, it requires a more permanent setup with access lists and the like, there should be a wizard for settings these up, but they will take some co-operation from the vendors themselves also for specifics.
0
 
debuggerauCommented:
So, if I read correctly, you have a 123 to 253 network address external..
124 is ISP's gateway address..

Your private addresses are 192.168.1.12/24

So, you want to route all addresses via the external gateway address..

Now, we want to convert private addresses to public ones, that will require a NAT (network address translation).

So, for an ASA, try:

access-list outside_nat0_outbound extended permit ip object-group LANGROUP any
Where LANGROUP is an object group you have previously defined with the LAN addresses within..
then
nat (outside) 0 access-list outside_nat0_outbound outside

Which will use the outside interface address as the masked address.

You could, with that many external addresses, provide separate external addresses natted for specific addresses, but this will NAT the whole LAN segment..



0
 
garyohAuthor Commented:
You are mostly right about my scenario.
So am I right about setting up the outbound traffic with the "route outside ..." command?
Second part:
I would prefer to understand how to add each internal note individually so that we could cause VPN users to use the VPN client while only NAT'ing a couple of existing NAT's to my outside vendors instead of leaving the entire range of ports open for the NATted IP's. Does this make any sense?
0
All Courses

From novice to tech pro — start learning today.