Cisco ASA version 8.4 NAT question
hello Experts
there is a host 10.1.1.10 from my inside network, i have configure a static nat map a public IP 203.94.35.4 with it, and configure some ACL so that access from internet to 203.94.35.4 is available.
at the same time if 10.1.1.10 access to internet is using 203.94.35.4.
i am also have a pool defined, i want if 10.1.1.10 access to internet via the pool, and if access to 203.94.35.4 from internet also available.
my question is does this possible and if yes how i configure it?
thanks
there is a host 10.1.1.10 from my inside network, i have configure a static nat map a public IP 203.94.35.4 with it, and configure some ACL so that access from internet to 203.94.35.4 is available.
at the same time if 10.1.1.10 access to internet is using 203.94.35.4.
i am also have a pool defined, i want if 10.1.1.10 access to internet via the pool, and if access to 203.94.35.4 from internet also available.
my question is does this possible and if yes how i configure it?
thanks
ASKER
sorry maybe i am not describe my question clearly.
i have configure static map between 10.1.1.10 and 203.94.35.4, if i access internet from this machine, it is using 203.94.35.4, for example if i open www.dnsstuff.com, it will tell me my public IP address is 203.94.35.4, my question is i want 10.1.1.10 access to internet via other public IP address which defined as a IP pool, also i want static mapping works well, for example ping 203.94.35.4 from internet, 10.1.1.10 response the icmp.
does it possible?
thanks
i have configure static map between 10.1.1.10 and 203.94.35.4, if i access internet from this machine, it is using 203.94.35.4, for example if i open www.dnsstuff.com, it will tell me my public IP address is 203.94.35.4, my question is i want 10.1.1.10 access to internet via other public IP address which defined as a IP pool, also i want static mapping works well, for example ping 203.94.35.4 from internet, 10.1.1.10 response the icmp.
does it possible?
thanks
Well, you could indeed get a response from 203.94.35.4 if you were to ping it assuming the correct rules are setup on the firewall to allow icmp, however, if you want to see a source address of 10.1.1.10 over the internet, that will not work. You could the device who's real IP is 10.1.1.10, but across the internet it will always appear to outside devices as the public ip 203.94.35.4.
I'll take a different angle on your question as I'm having difficulty understanding what you're truly asking. If you want inbound traffic for specific services to access 10.1.1.10 via public IP 203.94.35.4, and when 10.1.1.10 initiates outbound internet traffic to use a different public IP via a public IP pool, this can also be done. You would define static PAT (also known as port forwarding) for specific port numbers to 10.1.1.10. You would also define a pat pool and that would be used for outbound.
I'll take a different angle on your question as I'm having difficulty understanding what you're truly asking. If you want inbound traffic for specific services to access 10.1.1.10 via public IP 203.94.35.4, and when 10.1.1.10 initiates outbound internet traffic to use a different public IP via a public IP pool, this can also be done. You would define static PAT (also known as port forwarding) for specific port numbers to 10.1.1.10. You would also define a pat pool and that would be used for outbound.
ASKER
hello rauenpc
since you think that is possible, could you show me the commands about this?
my ASA version is 8.4.
thank you
since you think that is possible, could you show me the commands about this?
my ASA version is 8.4.
thank you
I had two interpretations above. Which one do you want to see commands for?
ASKER
ok, my question is does it possible configure "two" at the same time?
thanks
thanks
If you only needed HTTPS accessible from the outside, and wanted an outgoing pat pool ranging from 203.94.35.5 to 203.94.35.10 to be used by 10.1.1.0/24
object network INSIDEHOST-HTTPS
host 10.1.1.10
nat (inside,outside) static 203.94.35.4 service tcp https https
object network nat-pool
range 203.94.35.5 203.94.35.10
object network SUBNET-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic nat-pool interface
You only need the "interface" keyword if you want to use PAT/overloading as a fallback when all the IP's in the nat pool are used up. Also, you will need to configure your ACL's appropriately.
object network INSIDEHOST-HTTPS
host 10.1.1.10
nat (inside,outside) static 203.94.35.4 service tcp https https
object network nat-pool
range 203.94.35.5 203.94.35.10
object network SUBNET-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic nat-pool interface
You only need the "interface" keyword if you want to use PAT/overloading as a fallback when all the IP's in the nat pool are used up. Also, you will need to configure your ACL's appropriately.
ASKER
hi rauenpc
the last question, if i am using your configuration, when 10.1.1.10 access to internet, for example from it ping to internet, the mapped address will being translate to 203.94.35.4 or not? or translate to one of public IP address which in the pool(203.94.35.5 - 203.94.35.10)?
thank you
the last question, if i am using your configuration, when 10.1.1.10 access to internet, for example from it ping to internet, the mapped address will being translate to 203.94.35.4 or not? or translate to one of public IP address which in the pool(203.94.35.5 - 203.94.35.10)?
thank you
rauenpc will confirm, but the static NAT should work to NAT all outbound traffic via 203.94.35.4
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
You can do this, yes. It sounds like you want people to go to 203.94.35.4 and your ASA NAT's that to 10.1.1.10. Take a look at this link from Cisco for additional information.