I have a problem where I'd like to nat a pool of ip's in my dmz to a single or pool of ip's on my inside network. I have a vpn device that is going to hand out a range of ip to vpn clients, the range is 126.96.36.199/24. The dmz is on the range 10.45.96.0/24. I'd like to nat these vpn pool of ip's 188.8.131.52/24 to a single or pool of ip addresses on my inside interface (10.45.60.0) on my cisco asa. Can someone please help me with the configuration?
Also how can I restrict this range of ip's i.e the VPN pool or the natted inside pool to accessing a few pre-determined ip's and port numbers, i.e where can I place the acl before or after nat?
Solved! Go to Solution.
Many Many thanks for that. Can I just ask is there a benfit of using either single or multiple ip's for the inside ip's?
Depends on a couple of things
1) If you use a single address then it will have to do PAT (port address translation). This is fine as long as it doesn't break the application which it can do.
2) More importantly if you use a single address it is a lot harder to tie that to the real IP address. If you want to log what the VPN clients are doing then it is easier to do a one-to-one translation, log this translation and then track down what that Natted IP address did.
3) The other one is obviously a shortage of addresses which is often why PAT is used going from inside to the Internet. But that doesn't apply in this case as you can use any private addressing you like.
One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?
The static command creates a permanent NAT translation and is bi-directional ie. connections can be initiated from both ways.
But all you want to do is NAT incoming VPN connections so you can do this dynamically because connections will only ever be initiated from the VPN client.