Solved

Cisco ASA 8.2 NAT Alterations

Posted on 2011-09-21
3
642 Views
Last Modified: 2012-05-12
Aloha,

I have an ASA running 8.2.5 (insufficient memory for 8.3+), and I'm looking to break the users internal NAT group away from what the servers continue to utilize.  I've configured some static translations, which I'm happy to continue setting up for all of the servers, however, I want to know the easiest way to just break everything besides the servers away to utilize their own external IP in our range.

I also have a redundant ISP link setup for failover on here, so this will need to be taken into account.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.86.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.226 255.255.255.224
!
interface Vlan3
 nameif Secondary-ISP
 security-level 0
 ip address 70.10.10.65 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns domain-lookup outside

 
 
 
dns server-group defaultdns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list from-outside extended permit icmp any any
access-list from-outside extended permit tcp any host 10.10.10.226 eq https
access-list from-outside extended permit tcp any host 10.10.10.226 eq www
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6001
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6004
access-list from-outside extended permit tcp any host 10.10.10.226 eq smtp
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.226 eq ftp
access-list from-outside extended permit gre any host 10.10.10.226
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3379
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3399
access-list from-outside extended permit tcp any host 10.10.10.227 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.227 eq ftp
access-list from-outside extended permit tcp host 20.10.10.67 host 10.10.10.226 eq 3268
access-list from-outside extended permit tcp any host 10.10.10.226 eq ldap
access-list no-nat extended permit ip 192.168.86.0 255.255.255.0 192.168.86.0 255.255.255.0













nat-control
global (outside) 1 interface
global (Secondary-ISP) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.86.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.86.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3379 192.168.86.13 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.86.13 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.86.13 https netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.86.13 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 192.168.86.13 6004 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.86.13 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.86.13 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3268 192.168.86.13 3268 netmask 255.255.255.255
static (inside,outside) 10.10.10.227 192.168.86.8 netmask 255.255.255.255
static (outside,inside) 192.168.86.8 10.10.10.227 netmask 255.255.255.255
static (inside,outside) 10.10.10.228 192.168.86.9 netmask 255.255.255.255
static (outside,inside) 192.168.86.9 10.10.10.228 netmask 255.255.255.255
access-group from-outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.225 1 track 1
route Secondary-ISP 0.0.0.0 0.0.0.0 70.10.10.1 254

Open in new window


Thanks!  -Ian
0
Comment
Question by:Ian-DEC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36579758
Well, normally you use the nat and global for that. With nat you define what range is going to be natted from what interface and the global defines to what address ( or range) you nat it to. So if your servers are nicely grouped together in a part of your internal range, it shouldn't be to hard to separate that.
0
 

Accepted Solution

by:
Ian-DEC earned 0 total points
ID: 36951281
I did a Static inside-outside for the server IP I was concerned about, and left the Global NAT alone.
0
 

Author Closing Comment

by:Ian-DEC
ID: 36975455
Better method than moving the G NAT.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing VLAN information 3 49
Cisco router external connection issues. 6 46
Unable to login to Cisco C800 Ver 15.3(3)M4 8 56
SSL VPN and open two factor authentication 3 80
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question