ciscosupp
asked on
nat cisco asa ver 9
Hi
I want to configure Nat for only one internal ip address to browse the internet.
Ip address is 192.168.1.100
Please assist with config.
Interface 0/0
LAN
192.168.1.1 255.255.255.0
Interface 0/1
External
196.46.5.5 255.255.255.252
I want to configure Nat for only one internal ip address to browse the internet.
Ip address is 192.168.1.100
Please assist with config.
Interface 0/0
LAN
192.168.1.1 255.255.255.0
Interface 0/1
External
196.46.5.5 255.255.255.252
ASKER
yes I only want one host to access internet via nat as the other hosts are using proxy servers
So firstly, setup a dynamic NAt for everything on the inside.
nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface
Then create an ACL for the inside interface
access-list inside_in extended permit tcp host 192.168.1.100 any eq 21
access-list inside_in extended permit tcp host 192.168.1.100 any eq 80
access-list inside_in extended permit tcp host 192.168.1.100 any eq 443
access-list inside_in extended deny ip any4 any4
Then apply this to the inside interface.
access-group inside_in in interface inside
The above will allow FTP and standard web browsing from the IP 192.168.1.100.
nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface
Then create an ACL for the inside interface
access-list inside_in extended permit tcp host 192.168.1.100 any eq 21
access-list inside_in extended permit tcp host 192.168.1.100 any eq 80
access-list inside_in extended permit tcp host 192.168.1.100 any eq 443
access-list inside_in extended deny ip any4 any4
Then apply this to the inside interface.
access-group inside_in in interface inside
The above will allow FTP and standard web browsing from the IP 192.168.1.100.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay thanks its working perfect my last question is
Would any
nat (inside,outside) source dynamic any interface
Mean any range is allowed and what does interface mean please advice I just want to understand the command
Would any
nat (inside,outside) source dynamic any interface
Mean any range is allowed and what does interface mean please advice I just want to understand the command
nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface
The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from subnet 192.168.1.0/24 to the outside interface address.
nat (inside,outside) source dynamic any interface
The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from anywhere to the outside interface address.
The keywords any, host and interface have special meanings in the Cisco world. When you move on to using object groups, you cannot use any of the reserved special keywords. There are more by the way. ;-)
The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from subnet 192.168.1.0/24 to the outside interface address.
nat (inside,outside) source dynamic any interface
The above says translate the source address anything arriving on the inside interface and leaving by the outside interface from anywhere to the outside interface address.
The keywords any, host and interface have special meanings in the Cisco world. When you move on to using object groups, you cannot use any of the reserved special keywords. There are more by the way. ;-)
ASKER
so basically when i have another subnet say 10.10.10.0/24 in the inside of my asa and i configure nat (inside,outside) source dynamic 192.168.1.0 255.255.255.0 interface
the internet from subnet 10.10.10.0/24 will not have internet access only subnet 192.168.1.0 255.255.255.0 is this correct
the internet from subnet 10.10.10.0/24 will not have internet access only subnet 192.168.1.0 255.255.255.0 is this correct
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, but your question is a little vague.
Are you looking to perform a static NAT for just this host to an external IP? Are there any other hosts that will need to access the internet?
I would recommend a dynamic NAT and then use ACLs to block hosts that do not need internet access.