Solved

Cisco ASA 8.2 NAT Alterations

Posted on 2011-09-21
3
637 Views
Last Modified: 2012-05-12
Aloha,

I have an ASA running 8.2.5 (insufficient memory for 8.3+), and I'm looking to break the users internal NAT group away from what the servers continue to utilize.  I've configured some static translations, which I'm happy to continue setting up for all of the servers, however, I want to know the easiest way to just break everything besides the servers away to utilize their own external IP in our range.

I also have a redundant ISP link setup for failover on here, so this will need to be taken into account.

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.86.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.226 255.255.255.224
!
interface Vlan3
 nameif Secondary-ISP
 security-level 0
 ip address 70.10.10.65 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns domain-lookup outside

 
 
 
dns server-group defaultdns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list from-outside extended permit icmp any any
access-list from-outside extended permit tcp any host 10.10.10.226 eq https
access-list from-outside extended permit tcp any host 10.10.10.226 eq www
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6001
access-list from-outside extended permit tcp any host 10.10.10.226 eq 6004
access-list from-outside extended permit tcp any host 10.10.10.226 eq smtp
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.226 eq ftp
access-list from-outside extended permit gre any host 10.10.10.226
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3379
access-list from-outside extended permit tcp any host 10.10.10.226 eq 3399
access-list from-outside extended permit tcp any host 10.10.10.227 eq 3389
access-list from-outside extended permit tcp any host 10.10.10.227 eq ftp
access-list from-outside extended permit tcp host 20.10.10.67 host 10.10.10.226 eq 3268
access-list from-outside extended permit tcp any host 10.10.10.226 eq ldap
access-list no-nat extended permit ip 192.168.86.0 255.255.255.0 192.168.86.0 255.255.255.0













nat-control
global (outside) 1 interface
global (Secondary-ISP) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.86.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.86.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3379 192.168.86.13 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.86.13 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.86.13 https netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.86.13 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 192.168.86.13 6004 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.86.13 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.86.13 ldap netmask 255.255.255.255
static (inside,outside) tcp interface 3268 192.168.86.13 3268 netmask 255.255.255.255
static (inside,outside) 10.10.10.227 192.168.86.8 netmask 255.255.255.255
static (outside,inside) 192.168.86.8 10.10.10.227 netmask 255.255.255.255
static (inside,outside) 10.10.10.228 192.168.86.9 netmask 255.255.255.255
static (outside,inside) 192.168.86.9 10.10.10.228 netmask 255.255.255.255
access-group from-outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.225 1 track 1
route Secondary-ISP 0.0.0.0 0.0.0.0 70.10.10.1 254

Open in new window


Thanks!  -Ian
0
Comment
Question by:Ian-DEC
  • 2
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36579758
Well, normally you use the nat and global for that. With nat you define what range is going to be natted from what interface and the global defines to what address ( or range) you nat it to. So if your servers are nicely grouped together in a part of your internal range, it shouldn't be to hard to separate that.
0
 

Accepted Solution

by:
Ian-DEC earned 0 total points
ID: 36951281
I did a Static inside-outside for the server IP I was concerned about, and left the Global NAT alone.
0
 

Author Closing Comment

by:Ian-DEC
ID: 36975455
Better method than moving the G NAT.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Old Cisco access point to act as Repeater 5 40
Extending  a subnet 9 39
stacking switches 2 27
Access List 4 14
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now