Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 8.2 NAT Alterations

Posted on 2011-09-21
3
Medium Priority
?
654 Views
Last Modified: 2012-05-12
Aloha,

I have an ASA running 8.2.5 (insufficient memory for 8.3+), and I'm looking to break the users internal NAT group away from what the servers continue to utilize.  I've configured some static translations, which I'm happy to continue setting up for all of the servers, however, I want to know the easiest way to just break everything besides the servers away to utilize their own external IP in our range.

I also have a redundant ISP link setup for failover on here, so this will need to be taken into account.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.86.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.226 255.255.255.224
!
interface Vlan3
 nameif Secondary-ISP
 security-level 0
 ip address 70.10.10.65 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns domain-lookup outside

 
 
 
dns server-group defaultdns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list from-outside extended permit icmp any any
access-list from-outside extended permit tcp any host 10.10.10.226 eq https
access-list from-outside extended permit tcp any host 10.10.10.226 eq www
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6001
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6004
access-list from-outside extended permit tcp any host 10.10.10.226 eq smtp
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.226 eq ftp
access-list from-outside extended permit gre any host 10.10.10.226
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3379
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3399
access-list from-outside extended permit tcp any host 10.10.10.227 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.227 eq ftp
access-list from-outside extended permit tcp host 20.10.10.67 host 10.10.10.226 eq 3268
access-list from-outside extended permit tcp any host 10.10.10.226 eq ldap
access-list no-nat extended permit ip 192.168.86.0 255.255.255.0 192.168.86.0 255.255.255.0













nat-control
global (outside) 1 interface
global (Secondary-ISP) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.86.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.86.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3379 192.168.86.13 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.86.13 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.86.13 https netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.86.13 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 192.168.86.13 6004 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.86.13 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.86.13 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3268 192.168.86.13 3268 netmask 255.255.255.255
static (inside,outside) 10.10.10.227 192.168.86.8 netmask 255.255.255.255
static (outside,inside) 192.168.86.8 10.10.10.227 netmask 255.255.255.255
static (inside,outside) 10.10.10.228 192.168.86.9 netmask 255.255.255.255
static (outside,inside) 192.168.86.9 10.10.10.228 netmask 255.255.255.255
access-group from-outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.225 1 track 1
route Secondary-ISP 0.0.0.0 0.0.0.0 70.10.10.1 254

Open in new window


Thanks!  -Ian
0
Comment
Question by:Ian-DEC
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36579758
Well, normally you use the nat and global for that. With nat you define what range is going to be natted from what interface and the global defines to what address ( or range) you nat it to. So if your servers are nicely grouped together in a part of your internal range, it shouldn't be to hard to separate that.
0
 

Accepted Solution

by:
Ian-DEC earned 0 total points
ID: 36951281
I did a Static inside-outside for the server IP I was concerned about, and left the Global NAT alone.
0
 

Author Closing Comment

by:Ian-DEC
ID: 36975455
Better method than moving the G NAT.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question