We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 546 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

297 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Notable Replies

  1. sims says:

    Hi Rene ,

    Could you explain twice nat and use cases also ?

    Thank you

  2. Hi Sims,

    I will, added it to the list.

    Rene

  3. Hi Rene,

    Need help again, So its NAT this time.

    ASA1(config)# object network WEB_SERVER
    ASA1(config-network-object)# host 192.168.1.1
    ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

    Let's call this statement A.

    The configuration above tells the ASA that whenever an outside device connects to IP address 192.168.2.200
    that it should be translated to IP address 192.168.1.1.

    ASA1(config)# object network DMZ
    ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
    ASA1(config-network-object)# nat (DMZ,OUTSIDE) static PUBLIC_POOL

    Let's call this statement B.

    The configuration above tells the ASA to translate any IP address from the subnet DMZ (192.168.1.0 /24) to an
    IP address in the PUBLIC_POOL (10.10.10.0 /24).

    Both NAT statement`s are similar except one has a IP other has a POOL.

    statement-A is performing translation for the inbound traffic
    statement-B is performing translation for outbound traffic

    My question is what part of command makes ASA to perform translation on INBOUND traffic or OUTBOUND traffic and on which interface.

  4. Hi Asi,

    The first statement tells the ASA that a device with IP address 192.168.1.1 on the DMZ has to be translated to 192.168.2.200 which is on the outside. On the interfaces we configured to which security-zone it belongs (INSIDE, DMZ or OUTSIDE).

    The direction doesn't matter...from the outside you can connect to 192.168.2.200 and it will be translated to 192.168.1.1. When 192.168.1.1 initiates traffic that goes from DMZ > outside then it also gets translated to 192.168.2.200. The only thing the ASA cares about is what to translate.

    The same thing applies to the second statement except that the first time when traffic goes from DMZ to OUTSIDE, an IP address from the pool is selected. When the translation is in place, you can also connect from the outside to the pool address if you want...the ASA only cares about what to translate.

    Rene

  5. maher1 says:

    Hi Michael,

    Normally it should work as Rene has previously explained because the direction doesn't matter for the ASA, the only thing that matters is what to translate. If you want that the request is sourced from the inside, you can specify "unidirectional" by end of the command of nat(inside,outside) static so the destination addresses cannot initiate traffic to the source addresses.

    Hope this can help.

Continue the discussion forum.networklessons.com

16 more replies

Participants