Configuring Dyn Nat on different subnet than the outside network

netadmincsm · ‎05-03-2012

Hi All

We have to add some nating configuration to the ones that we already have.

Actually we nat all the inside traffic from our ASA 5520 to the outside public IP.

We recently add a new public IP network from our ISP. We want to nat a specific inside subnet to an IP from that new public IP network.

We add a new network object rules for our inside subnet we wanted to nat from

We also add our nat instance into the same object group : nat (inside,outside) dynamic [Public IP Address]

Is there any other configuration we should add to make it works.

Note : we compare with another ASA 5520 we have and everything seems to be the same except that the public IP address is on the same subnet.

We also look at the ASA next hop, to make sure the packet are routed to the new public IP network. Everything seems to be ok too !

Dan-Ciprian Cicioiu · ‎05-03-2012

There is no issue. The ISP should route all the packets to the new public IP to the ASA's outside IP.

You have to split the groups that will be nat-ed.

Dan

netadmincsm · ‎05-03-2012

Is there a specific ACL that I need to open ?

Thank you very much.

Dan-Ciprian Cicioiu · ‎05-03-2012

My understanding is that the ASA is used for internet access - this means the traffic is initialized on inside and going to outside. Your ASA is already configured for this - meaning that all the required inside hosts are allowed to access-l the internet - the nat will make different translations based on your rules.

If you configured the new nat rule on the same object-group , I do belive that the old one was overwritten. Can you check that ?

Dan

netadmincsm · ‎05-09-2012

Sorry for the delay. It's been very busy around here!

Yes the old one is overwritten.