Solved

Cisco ASA 8.2 NAT Alterations

Posted on 2011-09-21
3
644 Views
Last Modified: 2012-05-12
Aloha,

I have an ASA running 8.2.5 (insufficient memory for 8.3+), and I'm looking to break the users internal NAT group away from what the servers continue to utilize.  I've configured some static translations, which I'm happy to continue setting up for all of the servers, however, I want to know the easiest way to just break everything besides the servers away to utilize their own external IP in our range.

I also have a redundant ISP link setup for failover on here, so this will need to be taken into account.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.86.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.226 255.255.255.224
!
interface Vlan3
 nameif Secondary-ISP
 security-level 0
 ip address 70.10.10.65 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns domain-lookup outside

 
 
 
dns server-group defaultdns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list from-outside extended permit icmp any any
access-list from-outside extended permit tcp any host 10.10.10.226 eq https
access-list from-outside extended permit tcp any host 10.10.10.226 eq www
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6001
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6004
access-list from-outside extended permit tcp any host 10.10.10.226 eq smtp
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.226 eq ftp
access-list from-outside extended permit gre any host 10.10.10.226
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3379
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3399
access-list from-outside extended permit tcp any host 10.10.10.227 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.227 eq ftp
access-list from-outside extended permit tcp host 20.10.10.67 host 10.10.10.226 eq 3268
access-list from-outside extended permit tcp any host 10.10.10.226 eq ldap
access-list no-nat extended permit ip 192.168.86.0 255.255.255.0 192.168.86.0 255.255.255.0













nat-control
global (outside) 1 interface
global (Secondary-ISP) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.86.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.86.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3379 192.168.86.13 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.86.13 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.86.13 https netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.86.13 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 192.168.86.13 6004 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.86.13 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.86.13 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3268 192.168.86.13 3268 netmask 255.255.255.255
static (inside,outside) 10.10.10.227 192.168.86.8 netmask 255.255.255.255
static (outside,inside) 192.168.86.8 10.10.10.227 netmask 255.255.255.255
static (inside,outside) 10.10.10.228 192.168.86.9 netmask 255.255.255.255
static (outside,inside) 192.168.86.9 10.10.10.228 netmask 255.255.255.255
access-group from-outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.225 1 track 1
route Secondary-ISP 0.0.0.0 0.0.0.0 70.10.10.1 254

Open in new window


Thanks!  -Ian
0
Comment
Question by:Ian-DEC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36579758
Well, normally you use the nat and global for that. With nat you define what range is going to be natted from what interface and the global defines to what address ( or range) you nat it to. So if your servers are nicely grouped together in a part of your internal range, it shouldn't be to hard to separate that.
0
 

Accepted Solution

by:
Ian-DEC earned 0 total points
ID: 36951281
I did a Static inside-outside for the server IP I was concerned about, and left the Global NAT alone.
0
 

Author Closing Comment

by:Ian-DEC
ID: 36975455
Better method than moving the G NAT.
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question