Link to home
Start Free TrialLog in
Avatar of ciscosupp
ciscosupp

asked on

nat cisco asa ver 9

Hi
I want to configure Nat for only one internal ip address to browse the internet.
Ip address is 192.168.1.100
Please assist with config.

Interface 0/0
LAN
192.168.1.1 255.255.255.0
Interface 0/1
External
196.46.5.5 255.255.255.252
Avatar of InteraX
InteraX
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi there.

Sorry, but your question is a little vague.

Are you looking to perform a static NAT for just this host to an external IP? Are there any other hosts that will need to access the internet?

I would recommend a dynamic NAT and then use ACLs to block hosts that do not need internet access.
Avatar of ciscosupp
ciscosupp

ASKER

yes I only want one host to access internet via nat as the other hosts are using proxy servers
So firstly, setup a dynamic NAt for everything on the inside.

nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface

Then create an ACL for the inside interface

access-list inside_in extended permit tcp host 192.168.1.100 any eq 21
access-list inside_in extended permit tcp host 192.168.1.100 any eq 80
access-list inside_in extended permit tcp host 192.168.1.100 any eq 443
access-list inside_in extended deny ip any4 any4

Then apply this to the inside interface.

access-group inside_in in interface inside

The above will allow FTP and standard web browsing from the IP 192.168.1.100.
SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay thanks its working perfect my last question is
Would any

nat (inside,outside) source dynamic any interface

 Mean any range is allowed and what does interface mean please advice I just want to understand the command
nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface

The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from subnet 192.168.1.0/24 to the outside interface address.

nat (inside,outside) source dynamic any interface

The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from anywhere to the outside interface address.

The keywords any, host and interface have special meanings in the Cisco world. When you move on to using object groups, you cannot use any of the reserved special keywords. There are more by the way. ;-)
so basically when i have another subnet say 10.10.10.0/24 in the inside of my asa and i configure nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface
the internet from subnet 10.10.10.0/24 will not have internet access only subnet 192.168.1.0 255.255.255.0 is this correct
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial