https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677451#M14842 <P>Let's say I have one /24 public address and it's a provider independent one. We aren't using this /24 space but only for NAT translations to clients and not being advertised to internet.</P> <P>&nbsp;</P> <P>However, let's say I have a client (client_a) and they dropped a circuit into our DC. They require 1:1 dynamic NAT translation from us. So our /24 subnet_a must be 1:1 NAT translated when we access client_a network.</P> <P>&nbsp;</P> <P>At the same time, we have a new client (client_b) who also requires the same thing. They will be connected to a different firewall interface/sub-interface but I will use the same /24 NAT pool that I used for client_a but the source is a different subnet, subnet_b, and of course the destination is different, client_b.</P> <P>&nbsp;</P> <P>I just want to know if this will work as we are trying to conserve the public addresses that we are using if the goal is the same thing. They both say that our public IP of us will only live in their private network and will not be leaked out.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 21 Feb 2020 16:02:07 GMT jpl861 2020-02-21T16:02:07Z https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677451#M14842 <P>Let's say I have one /24 public address and it's a provider independent one. We aren't using this /24 space but only for NAT translations to clients and not being advertised to internet.</P> <P>&nbsp;</P> <P>However, let's say I have a client (client_a) and they dropped a circuit into our DC. They require 1:1 dynamic NAT translation from us. So our /24 subnet_a must be 1:1 NAT translated when we access client_a network.</P> <P>&nbsp;</P> <P>At the same time, we have a new client (client_b) who also requires the same thing. They will be connected to a different firewall interface/sub-interface but I will use the same /24 NAT pool that I used for client_a but the source is a different subnet, subnet_b, and of course the destination is different, client_b.</P> <P>&nbsp;</P> <P>I just want to know if this will work as we are trying to conserve the public addresses that we are using if the goal is the same thing. They both say that our public IP of us will only live in their private network and will not be leaked out.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 21 Feb 2020 16:02:07 GMT https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677451#M14842 jpl861 2020-02-21T16:02:07Z https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677457#M14843 <P>Hi John,</P> <P>&nbsp;</P> <P>Something like this?</P> <P>&nbsp;</P> <P>nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1<BR />nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2</P> <P><BR />- Not configured under and object, rather under global config</P> <P>&nbsp;</P> <P>Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.</P> <P>&nbsp;</P> <P>HTH</P> Mon, 30 Jul 2018 14:06:10 GMT https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677457#M14843 Rob Ingram 2018-07-30T14:06:10Z https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677463#M14847 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;wrote:<BR /> <P>Hi John,</P> <P>&nbsp;</P> <P>Something like this?</P> <P>&nbsp;</P> <P>nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1<BR />nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2</P> <P><BR />- Not configured under and object, rather under global config</P> <P>&nbsp;</P> <P>Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.</P> <P>&nbsp;</P> <P>HTH</P> <HR /></BLOCKQUOTE> <P>Yeah something like that. Or something like this.</P> <P>&nbsp;</P> <P>object network public_pool</P> <P>&nbsp;range x.x.x.1 x.x.x.254</P> <P>&nbsp;</P> <P>object network subnet_a</P> <P>&nbsp;subnet 192.168.0.0 255.255.255.</P> <P>&nbsp;nat (inside,client_a) dynamic p<SPAN>ublic_pool</SPAN></P> <P>&nbsp;</P> <P>object network subnet_b</P> <P>&nbsp;subnet 192.168.1.0 255.255.255.</P> <P>&nbsp;nat (inside,client_b) dynamic p<SPAN>ublic_pool</SPAN></P> <P><SPAN><BR />So the same public range that lives on different sub-interfaces of the firewall. That way I can conserve IP addresses.</SPAN></P> Mon, 30 Jul 2018 14:11:01 GMT https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677463#M14847 jpl861 2018-07-30T14:11:01Z https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677514#M14852 <P>I found a lab firewall and tested both dynamic and static NAT and it worked fine. No real traffic tested but at least the ASA did not give an error or warning.</P> Mon, 30 Jul 2018 14:58:42 GMT https://community.cisco.com/t5/network-security/use-the-same-nat-pool-on-different-asa-external-interfaces/m-p/3677514#M14852 jpl861 2018-07-30T14:58:42Z