ASA 5510 subinterfaces and NAT

jschweng · ‎11-19-2010

We have several partners in different countries who are using overlapping subnets on their switch hardware. we have to manage all the partners hardware from our netmanagers which are installed behind an ASA5510 firewall. We have a single port to the outside and a single inside port on the ASA to use.

We were thinking that we could create subinterfaces on the ASA's outside port - one for each of the partners and then connect the next hop ( the partner;s router's) interface to that through a switch using vlan seperation.

Would the fireawll be able to NAT the source addresses of the different partners so that our Netmagers see them as being on different subnets and so we could route to them and receive snmp traps from them?"

Jon Marshall · ‎11-19-2010

JSCHWENG wrote:

We have several partners in different countries who are using overlapping subnets on their switch hardware. we have to manage all the partners hardware from our netmanagers which are installed behind an ASA5510 firewall. We have a single port to the outside and a single inside port on the ASA to use.

We were thinking that we could create subinterfaces on the ASA's outside port - one for each of the partners and then connect the next hop ( the partner;s router's) interface to that through a switch using vlan seperation.

Would the fireawll be able to NAT the source addresses of the different partners so that our Netmagers see them as being on different subnets and so we could route to them and receive snmp traps from them?"

Yes, you could do this with the static command eg.

static (outp1,inside) 192.168.5.0 172.16.5.0 netmask 255.255.255.0 <--- where outp1 is one of the partner interfaces

would present the partner network of 172.16.5.0/24 as 192.168.5.0/24 to your internal Netmanagers

If you are using ASA 8.3 then i suspect that NAT statement is no longer valid though and i haven't had to time to read up on the new NAT commands - must get round to doing that

Jon