06-20-2018 12:35 AM - edited 02-21-2020 07:54 AM
Hello to all this is my first post so i would try to keep it simple and clean.
I got 2 internal ip's that i want to translate them to 2 external ip's .Each one on its own.
Lets say x.x.x.10 to x.x.x.200 and x.x.x.11 to x.x.x.201.
Now which concept should i use i dont want to use dynamic nat with pool since i want to bind each address to its own .I have read about Twice Nat but i am not sure if is the right way to do it .
Any help would be appreciated thank you.
06-20-2018 01:03 AM
Hi, you can use also dynamic pool. In this way the hosts will not be "exposed" to internet. This is an example:
conf t
object network HOST1
host x.x.x.10
nat (inside, outside) dynamic x.x.x.200
object network HOST2
host x.x.x.11
nat (inside, outside) dynamic x.x.x.201
otherwise you must use static rules, example:
static (inside,outside) x.x.x.x.200 x.x.x.10 netmask 255.255.255.255
static (inside,outside) x.x.x.x.201 x.x.x.11 netmask 255.255.255.255
The commands can be different based on the ASA fw verison.
Regards.
06-20-2018 03:58 AM
Thank you for the reply .
Just clarify something since i am not the initial configurator of this ASA and my knowledge to it is limited to a point here is what i got now.
show xlate
3 in use, 622 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:x.x.x.13 to DMZ:x.x.x.13
flags s idle 407:21:47 timeout 0:00:00
NAT from outside:x.x.x.14 to DMZ:x.x.x.14
flags s idle 407:21:47 timeout 0:00:00
NAT from DMZ:10.x.x.13 to outside:151.x.x.13 flags i idle 0:00:40 timeout 3:00:00
Now they want the .14 network to be nated dmz to the public .14 network .Any ideas thank you for
your time.
06-20-2018 04:53 AM
Hi, you can try these commands:
conf t
object network x.x.x.14
subnet x.x.x.0 255.255.255.0 !!! you must set ip and subnetmask according to your scenario
nat (DMZ, outside) dynamic x.x.x.14 !!! configure the public ip
Regards.
06-20-2018 05:18 AM - edited 06-20-2018 05:35 AM
I am getting that:WARNING: Pool (151.x.x.14) overlap with existing pool.
after doing
show nat pool
i get this results
NAT pool outside:NatPool, range 151.x.x.13-151.x.x.14, allocated 1.
On your previous recommendation the
conf t
object network x.x.x.14 ---- is the internal ip i guess
Thank you .
06-20-2018 05:25 AM
Hi,
object network x.x.x.14 ---- is the internal ip i guess <= yes
and the message WARNING: Pool () overlap with existing pool is just a warning.
Anyhow you can remove the ip x.x.x.14 from the existing pool and create a new one if necessary.
06-25-2018 11:05 PM
Thank you for you replies and sorry for them late response .
So here is what i got now
object network xxxxx
nat (outside,DMZ) static 10.x.x.14
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.14
object network xxxxx
nat (outside,DMZ) static 10.x.x.13
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
access-group Out-DMZ in interface outside
access-group DMZ_acl in interface DMZ
access-group DMZ-inside in interface inside
For some reason the x.13 to x.13 Nat is working.
The x.14 to x.14 is not any ideas ?
Am i missing something ?
06-26-2018 02:18 AM
I think when you use:
object network xxxxx
nat (outside,DMZ) static 10.x.x.14
then
object network xxxxx
nat (outside,DMZ) static 10.x.x.13
this cannot work as you already allocated outside ports to 10.x.x.14, hence no ports available also for 10.x.x.13
Here's what I would do:
- remove
object network xxxxx
nat (outside,DMZ) static 10.x.x.13
- check the output of show run nat | 151.x.x.13
the right output should list only the related config from this
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
If you see more lines, just see what other NAT config is using 151.x.x.13
If all is OK so far, then you should be able to have from DMZ to outside Internet access, as long as you permit this on the ACL DMZ_acl
06-27-2018 05:20 AM
mm it make's sense but what i realy want is that the 2 internal ip address translated to the 2 public ip address .Each one on its own the .13 to .13 and .14 to .14 .Can it be done ?.
Now it works with the .13 if i reload the Asa is goes ether to 13 or to 14 and i dont want that ,
Thank you for your time.
06-28-2018 02:06 AM
Guys any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide