cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


125
Views
0
Helpful
4
Replies
Highlighted
Beginner

Inside to outide NAT

Hi,

I have an ASA 5505 firewall.  It was requested that when accessing internet, internal users get NAT translated to a public IP.  There has to be a one-to-one translation between internal and outside IP addresses.  Is it possible to do static NAT translations from the inside clients (with multiple private IP addresses) to multiple outside (private) addresses?  Will the ASA accept that the outside interface will have multiple IP public addresses?

Thanks,

Tiziana

1 ACCEPTED SOLUTION

Accepted Solutions
Mentor

Inside to outide NAT

Hi,

Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.

Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)

If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.

- Jouni

View solution in original post

4 REPLIES 4
Hall of Fame Guru

Inside to outide NAT

Tiziana

Yes you can do this and you do not need to assign the public IPs to an actual interface you simply use them in your NAT statements. So the ASA would only have on outside interface with one public IP. As long as the ISP who assigned you the block is routing traffic for any of those IPs to the outside interface of your firewall it will work fine.

That said, if you have a lot of private IPs you are going to need a lot of public IPs which could be quite wasteful of public addressing but like i say if you have them then yes it will work.

Jon

Mentor

Inside to outide NAT

Hi,

Can you clarify.

You first mention that you require Private to Public Static one-to-one NAT configurations and then mention that its Private to Private?

I presume that you mean that you want to give hosts their own public IP address with the Static NAT (also possible with Dynamic NAT but naturally the public IP aquired is random)

There is no limination how many Static NATs you can configure (any realistic ones for most situations) on the ASA. The main problem usually is the amount of public IP addresses you have available.

So as long as you have the available public IP addresses then the amount of those IP addresses is the only limit on how many Static NAT you can configure between the Private and Public networks.

- Jouni

Beginner

Inside to outide NAT

Sorry about the typo...I meant private to public one-to-one NAT translations.  Yes, we want to give internal hosts there own public IP addresses, because these will in turn go to a WAN connection.  Hosts will be monitored regarding web usage, hence the need for static translations.  Will there be an increase in load on the ASA?

What if I want to do a static NAT from one private to another private subnet?

Thanks.

Mentor

Inside to outide NAT

Hi,

Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.

Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)

If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.

- Jouni

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here