I am wanting to give a group of IPADDRs there own Public IPADDRs. I have around 75 /26 address that are in every sites scope that I will need to set this for. Typically I place the guest traffic on their own /16 subnet and create on object network GUEST_PUB_IPADDR, subnet x.x.x.x /16, nat (inside,outside) dynamic P.P.P.P.
I would need to create 75 of these per site. Is there another way to NAT this group?
Solved! Go to Solution.
If I understand correctly you are looking for another way to NAT 75 addresses / subnets per site?
You could group them into an object group and use.
object-group network NAT_Grp
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
nat (inside,oustide) after-auto source dynamic NAT_Grp interface
Is the NAT statement for NAT_Grp object group below the other NAT statement? If yes then this is why it is not being matched. You need to move the statement above that statement...as follows:
nat (inside,outside) after-auto source dynamic NAT_Grp pat-pool GUEST_WIFI_PUBLIC
nat (inside,outside) after-auto source dynamic any pat-pool DEFAULT_PUBLIC
In the second statement you are matching any IP so if the NAT_Grp NAT is below it will never be hit.
are you talking about each individual remote sites that should be configured with NAT from private to public IP?
If that was the case and your are routing guest network directly to connected isp, you should be doing those NAT statements for each site. I think this is manual process to do for each site. i know doing this for 75 sites will take time but i think there is no other option.
i recommend to use scripting to do this, as all remote site's firewalls are reachable to you. This is simple job but takes time to do it.
Note: above process depends on the way you route the traffic from remote sites.
If you are using the same public IP for all the guest networks then you just need to create one guest object-group and place all the relevant subnets into that group. Then configure NAT for that object group. A little work that needs to be done, but once it is in place any new guest network would just need to be added to that object group and they are good to go..NAT wise.
The code I posted earlier will do the trick if you are using the same public IP for all guest networks.