Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
4
Replies

Inside to outide NAT

Go to solution
Tiziana Cassar
Level 1
Level 1

‎01-21-2014 01:45 AM - edited ‎03-11-2019 08:33 PM

Hi,

I have an ASA 5505 firewall.  It was requested that when accessing internet, internal users get NAT translated to a public IP.  There has to be a one-to-one translation between internal and outside IP addresses.  Is it possible to do static NAT translations from the inside clients (with multiple private IP addresses) to multiple outside (private) addresses?  Will the ASA accept that the outside interface will have multiple IP public addresses?

Thanks,

Tiziana

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Tiziana Cassar

‎01-21-2014 05:20 AM

Hi,

Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.

Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)

If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-21-2014 03:05 AM

Tiziana

Yes you can do this and you do not need to assign the public IPs to an actual interface you simply use them in your NAT statements. So the ASA would only have on outside interface with one public IP. As long as the ISP who assigned you the block is routing traffic for any of those IPs to the outside interface of your firewall it will work fine.

That said, if you have a lot of private IPs you are going to need a lot of public IPs which could be quite wasteful of public addressing but like i say if you have them then yes it will work.

Jon

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-21-2014 03:07 AM

Hi,

Can you clarify.

You first mention that you require Private to Public Static one-to-one NAT configurations and then mention that its Private to Private?

I presume that you mean that you want to give hosts their own public IP address with the Static NAT (also possible with Dynamic NAT but naturally the public IP aquired is random)

There is no limination how many Static NATs you can configure (any realistic ones for most situations) on the ASA. The main problem usually is the amount of public IP addresses you have available.

So as long as you have the available public IP addresses then the amount of those IP addresses is the only limit on how many Static NAT you can configure between the Private and Public networks.

- Jouni

0 Helpful

Go to solution
Tiziana Cassar
Level 1
Level 1
In response to Jouni Forss

‎01-21-2014 05:06 AM

Sorry about the typo...I meant private to public one-to-one NAT translations.  Yes, we want to give internal hosts there own public IP addresses, because these will in turn go to a WAN connection.  Hosts will be monitored regarding web usage, hence the need for static translations.  Will there be an increase in load on the ASA?

What if I want to do a static NAT from one private to another private subnet?

Thanks.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Tiziana Cassar

‎01-21-2014 05:20 AM

Hi,

Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.

Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)

If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card