topic NAT for traffic originating from ASA in Network Security

NAT for traffic originating from ASA

Mike Anderson — Tue, 12 Mar 2019 05:06:50 GMT

Hello folks

I am facing a unique scenario. I have an ASA which is connected to an WAN network and it has private address on the outside interface. There are few PCs connected to the inside interface and the traffic from them is NAT-d to an IP for internet access.

This ASA also has botnet license, that means it needs to go internet periodically to download updates, my question is it possible to force the ASA to use a different IP other than the outside interface IP while it sents traffic to internet ?

Thanks in Advance

Hello Mike, You can indeed do

David Johan Castro Fernandez — Thu, 20 Nov 2014 15:29:13 GMT

Hello Mike,

You can indeed do the PAT with another IP address, my question is, which will be the gateway of last resort?

Is the Private IP address on the outside being NATed to a public IP address by a device in front of it?

with the --> Show xlate

You will be able to monitor the translations.

Please don't forget to rate and mark as correct the helpful post!

David Castro,

Regards,

Hi, The ASA to my

Jouni Forss — Fri, 21 Nov 2014 07:22:43 GMT

Hi,

The ASA to my understanding only uses its interface IP addresses to originate traffic/connections from itself.

I guess you are saying that the users behind the ASA are using some different NAT IP address (something other than the interface IP) for their Internet access?

I guess in that case you would need to make some additional NAT/ACL configurations on some device in front of the ASA to allow the ASA to get those updates from the Internet.

Or you could configure an additional interface on the ASA so you can use the IP address on the ASA that you want. This would require you to know the destination subnets/network from which the ASA gets the updates from though so you could configure static routes for those destination subnets/networks through that new interface. Probably not an ideal solution but still possible.

There have been many similiar questions in the past. Its a shame for example that you can not use multiple different public IP addresses on an ASA to build L2L VPN connections for example or just have multiple subnets gateways configured on a single interface (for some special situations). These seem to point to the situation that the ASA can not use any other IP address to originate connections "out of the box" other than those configured on the interfaces.

It would surely make some migrations easier if it was possible 🙂

- Jouni