Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
5
Replies

ASA NAT based on source network

MICHAEL KENNEDY
Level 1
Level 1

‎06-06-2011 04:59 AM - edited ‎03-11-2019 01:42 PM

I have a question regarding the merging of 2 networks and NAT. The networks and interface names have been changed to simplify the diagram below.

The 192.168.0.0 network has never used a NAT translation to connect to the server 1.1.1.1. The 172.17.0.0 network used to sit on another interface which required NAT and has been moved.

Can I create a NAT translation based on a network range?

I have resolved this issue by using a NAT exemption for the 192.168.0.0 network but I like the flexibility NAT based on the source network (Checkpoint NAT is configured in this way).

Thanks in advance

NAT-Based-On-Network.jpg

Labels:
0 Helpful
5 Replies 5

f00f1ter
Level 1
Level 1

‎06-06-2011 08:18 AM

Which version of code on the ASA?

On which interface does 172.17.0.0/16 terminate?

0 Helpful

MICHAEL KENNEDY
Level 1
Level 1
In response to f00f1ter

‎06-07-2011 01:28 AM

The code version is 8.05. 172.17.0.0/16 was an external network to a third party but has been brought onto the corporate network on the inside interface. The 192.168.0.0/24 was always a trusted network and didn't require NAT. The server sits on our DMZ.

If this was a new network connection we would not use NAT but there are so many applications from the 172.17/16 range using the NAT address that this is not viable.

0 Helpful

tarekaljallad
Level 1
Level 1

‎06-06-2011 10:23 AM

You can create a NAT entry for 1.1.1.1 and then restrict by access list to source network. That will NAT it for everything talking to it through the outside (of which ever interface 172.17.0.0 is plugged into) interface.

0 Helpful

MICHAEL KENNEDY
Level 1
Level 1
In response to tarekaljallad

‎06-07-2011 01:33 AM

Sounds like what I am looking for. Can you point me in the right direction for examples or documentation?

0 Helpful

tarekaljallad
Level 1
Level 1
In response to MICHAEL KENNEDY

‎06-07-2011 04:46 AM

If the 172.17.0.0 is behind your inside interface, then you do not need NAT between it and 1.1.1.1 in your DMZ, simply make sure the ASA has the proper route to 172.17.0.0 in your internal network.

This might help:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card