05-11-2021 07:31 AM
I generally I see the outside interface IP used for the dynamic NAT, though after enabling RAVPN, etc. there appears to be a warning in FMC about possible conflict, etc. Is it a best practice to use a different IP than the outside interface for dynamic NAT assuming you have more than 1 public IP to work with?
Solved! Go to Solution.
05-11-2021 07:36 AM
@Jack G General practice, yes use a unique IP address or pool of IP addresses for outbound Dynamic PAT.
Obviously if you don't have spare IP addresses you won't have that luxury.
05-11-2021 07:36 AM
@Jack G General practice, yes use a unique IP address or pool of IP addresses for outbound Dynamic PAT.
Obviously if you don't have spare IP addresses you won't have that luxury.
05-11-2021 07:38 AM
Neither way is more or less secure than the other.
As far as best practices, from an engineering point of view you want to make sure the dynamic NAT/PAT has enough resources for the potential clients. If you have more than a couple hundred devices that will be using the NAT, then it's advised to use a larger address pool.
05-11-2021 07:57 AM
Understood, thank you. The main issue appeared to be with IPSec. A device on the inside was trying to make a IPSec connection out and couldn’t due conflict, I think it was related to ISAKMP 500...?Ended up creating a static NAT with an different public IP for that device which resolved the issue. I think it was
05-11-2021 08:02 AM
@Jack G If the outbound IPSec connection from the inside was translated behind the ASA interface IP address and the ASA's outside interface itself was listening on udp/500, then yes I can imagine why that would not have worked. Your static NAT using a different public IP address was the correct way to resolve it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide