Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
15
Helpful
4
Replies

Dynamic NAT for internet access, best practice to use outside interface IP or different IP then interface?

Go to solution
Jack G
Level 1
Level 1

‎05-11-2021 07:31 AM

I generally I see the outside interface IP used for the dynamic NAT, though after enabling RAVPN, etc. there appears to be a warning in FMC about possible conflict, etc. Is it a best practice to use a different IP than the outside interface for dynamic NAT assuming you have more than 1 public IP to work with?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-11-2021 07:36 AM

@Jack G General practice, yes use a unique IP address or pool of IP addresses for outbound Dynamic PAT.

Obviously if you don't have spare IP addresses you won't have that luxury.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎05-11-2021 07:36 AM

@Jack G General practice, yes use a unique IP address or pool of IP addresses for outbound Dynamic PAT.

Obviously if you don't have spare IP addresses you won't have that luxury.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-11-2021 07:38 AM

Neither way is more or less secure than the other.

As far as best practices, from an engineering point of view you want to make sure the dynamic NAT/PAT has enough resources for the potential clients. If you have more than a couple hundred devices that will be using the NAT, then it's advised to use a larger address pool.

Go to solution
Jack G
Level 1
Level 1
In response to Marvin Rhoads

‎05-11-2021 07:57 AM

Understood, thank you. The main issue appeared to be with IPSec. A device on the inside was trying to make a IPSec connection out and couldn’t due conflict, I think it was related to ISAKMP 500...?Ended up creating a static NAT with an different public IP for that device which resolved the issue. I think it was 

Go to solution
Rob Ingram
VIP
VIP
In response to Jack G

‎05-11-2021 08:02 AM

@Jack G If the outbound IPSec connection from the inside was translated behind the ASA interface IP address and the ASA's outside interface itself was listening on udp/500, then yes I can imagine why that would not have worked. Your static NAT using a different public IP address was the correct way to resolve it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card