https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335928#M785486 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?</P><P></P><P>Thanks</P><P>Dan</P></BODY></HTML> Fri, 20 Nov 2009 15:49:58 GMT dan_track 2009-11-20T15:49:58Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335922#M785480 <P>Hi,</P><P></P><P>I have a problem where I'd like to nat a pool of ip's in my dmz to a single or pool of ip's on my inside network. I have a vpn device that is going to hand out a range of ip to vpn clients, the range is 172.15.16.0/24. The dmz is on the range 10.45.96.0/24. I'd like to nat these vpn pool of ip's 172.15.16.0/24 to a single or pool of ip addresses on my inside interface (10.45.60.0) on my cisco asa. Can someone please help me with the configuration?</P><P></P><P>Also how can I restrict this range of ip's i.e the VPN pool or the natted inside pool to accessing a few pre-determined ip's and port numbers, i.e where can I place the acl before or after nat?</P><P></P><P>Many thanks</P><P>Dan</P> Mon, 11 Mar 2019 16:41:03 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335922#M785480 dan_track 2019-03-11T16:41:03Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335923#M785481 <HTML><HEAD></HEAD><BODY><P>Dan</P><P></P><P>To a single IP</P><P></P><P>nat (outside) 1 172.16.5.0 255.255.255.0 outside</P><P>global (inside) 1 <SINGLE ip=""></SINGLE></P><P></P><P>to a pool</P><P></P><P>nat (outside) 1 172.16.5.0 255.255.255.0 outside</P><P>global (inside) 1 <POOL ip=""> <SUBNET mask=""></SUBNET></POOL></P><P></P><P>to restrict access use an outbound acl on the inside interface.</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Nov 2009 13:41:47 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335923#M785481 Jon Marshall 2009-11-20T13:41:47Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335924#M785482 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>Many Many thanks for that. Can I just ask is there a benfit of using either single or multiple ip's for the inside ip's?</P><P></P><P>Thanks</P><P>Dan</P></BODY></HTML> Fri, 20 Nov 2009 13:58:05 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335924#M785482 dan_track 2009-11-20T13:58:05Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335925#M785483 <HTML><HEAD></HEAD><BODY><P>Dan</P><P></P><P>Depends on a couple of things</P><P></P><P>1) If you use a single address then it will have to do PAT (port address translation). This is fine as long as it doesn't break the application which it can do.</P><P>2) More importantly if you use a single address it is a lot harder to tie that to the real IP address. If you want to log what the VPN clients are doing then it is easier to do a one-to-one translation, log this translation and then track down what that Natted IP address did.</P><P>3) The other one is obviously a shortage of addresses which is often why PAT is used going from inside to the Internet. But that doesn't apply in this case as you can use any private addressing you like.</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Nov 2009 15:24:59 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335925#M785483 Jon Marshall 2009-11-20T15:24:59Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335926#M785484 <HTML><HEAD></HEAD><BODY><P>You're a star Jon.</P><P></P><P>Many thanks</P><P>Dan</P></BODY></HTML> Fri, 20 Nov 2009 15:31:42 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335926#M785484 dan_track 2009-11-20T15:31:42Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335927#M785485 <HTML><HEAD></HEAD><BODY><P>No problem, glad to have helped.</P></BODY></HTML> Fri, 20 Nov 2009 15:46:52 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335927#M785485 Jon Marshall 2009-11-20T15:46:52Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335928#M785486 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?</P><P></P><P>Thanks</P><P>Dan</P></BODY></HTML> Fri, 20 Nov 2009 15:49:58 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335928#M785486 dan_track 2009-11-20T15:49:58Z https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335929#M785487 <HTML><HEAD></HEAD><BODY><P>Dan</P><P></P><P>The static command creates a permanent NAT translation and is bi-directional ie. connections can be initiated from both ways.</P><P></P><P>But all you want to do is NAT incoming VPN connections so you can do this dynamically because connections will only ever be initiated from the VPN client.</P><P></P><P>Jon</P></BODY></HTML> Fri, 20 Nov 2009 16:00:33 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-pool-of-ip-s-in-cisco-asa-help/m-p/1335929#M785487 Jon Marshall 2009-11-20T16:00:33Z