Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
5
Helpful
2
Replies

ASA Outside Interface and Static/Identity NAT

johnlloyd_13
Level 9
Level 9

‎11-26-2016 08:00 PM - edited ‎03-12-2019 01:35 AM

hi all,

sorry i feel like a noob again. it's been a while since i designed/configured from scratch.

a client wants to use an 'outside' interface on an ASA5516-X other than g0/0. is it possible to use g0/1 or other ports as outside interface?

i remember configuring another outside interface other than e0/0 on a 5505 and i think it didn't work.

also is below identity NAT possible?

object network NETWORK-1

 subnet 192.168.100.0 255.255.255.0

 nat (inside,outside) static NETWORK-1

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎11-27-2016 02:10 AM

You can use any interface for any "role" in the network. The ASA doesn't care which interface in inside, outside and so on. Also the names are not relevant any more. Very long time ago (when we used the PIX) there were some restrictions, but these are not relevant any more. The only restriction is that the management-port can't be used for through-traffic on some of the ASAs.

For your second question: Yes, that can be done. But be careful that you get the right order of operation. For NATs like these, it's likely that you better place them in section one with "manual/twice NAT" instead to place them in section two (auto/object NAT).

johnlloyd_13
Level 9
Level 9
In response to Karsten Iwen

‎11-27-2016 02:36 AM

hi karsten,

thanks! so i reviewed again NAT from this link:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#TWICE-TYPE

so the NAT on my original post would fall under 'section 1' correct?

coz i have several PAT statements after this one. should i put the keyword 'after-auto' on my PAT?

originally i wrote:

object network NETWORK-1

 subnet 192.168.100.0 255.255.255.0

 nat (inside,outside) static NETWORK-1

object network NETWORK-192.168.180.0-24
 description GUEST-WIFI
 subnet 192.168.180.0 255.255.255.0
 nat (GUEST-WIFI,outside) dynamic interface

should i do below instead?

object network NETWORK-1

 subnet 192.168.100.0 255.255.255.0

nat (inside,outside) 1 source static NETWORK-1

object network NETWORK-10.100.180.0-24
 description LAN
 subnet 10.100.180.0 255.255.255.0
 nat (inside,outside) after-auto 1 dynamic interface

object network NETWORK-192.168.180.0-24
 description GUEST-WIFI
 subnet 192.168.180.0 255.255.255.0
 nat (GUEST-WIFI,outside) after-auto 2 dynamic interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card