nat config oin asa 5510

kenny504kenny504 Users Awaiting Email Confirmation Posts: 237 ■■□□□□□□□□
Ok i need some help I'm new to the asa world but i want to know if this config would work or not.

here's the scenario,

local net (
>ASA 5510 (inside | (outside
> internet cloud

the isp has assigned as our next hop and also given us a block of public address e.g - we will just overload for clients to use for now.

here's is my nat commands, havent woked on this thing since the pix days so let me know if im missing something

config# global (outside) 1
config# nat (inside) 1
config# route outside 1

with this scenario on an asa5510 i should not need any access-list command for clients on the subnet to ping internet hosts right?
There is no better than adversity, every defeat, every loss, every heartbreak contains its seed. Its own lesson on how to improve on your performance the next time.


  • mikearamamikearama Member Posts: 749
    I'm unclear how you plan to use the - 9 range on an ASA that has as its outside IP address, and a default gateway of 222.13. You don't have access to the - 9 interface on the ISP's CE router... so you don't get to control the public NAT's.

    Since you have access to your 5510 with the 222.14 interface, I believe you only get to control the PAT on that interface. In which case, your global is something like:
    config#global (outside) 1 interface
    config#global (outside) 1

    If I'm right, you get to notify your ISP how you want them to NAT your public IP's.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    It can work as originally stated, it'd be a little bit odd though but they can NAT on their own devices so long as the Provider has statics pointing to their ASA as the gateway for those addresses (once the ASA has xlations in place for the traffic it will accept it even though those public addresses are not a part of it's Outside subnet). As for the ICMP question first up enable ICMP inspection (and ICMP error for handyness) under your global policy so you can statefully allow replies to your hosts. So long as you are allowing this traffic on your ingress/inside (i.e. no ACL or you have an explicit permit in that ACL) then you should be good to go.

    policy-map global_policy
    class inspection_default
    inspect icmp
    inspect icmp error
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.