Thank you chaps. We shall try in a few weeks time and will let you know.

Cheers

Darius

Hi Philip/Guys

I am having some issue with ASA NAT, we are using Access-List to Translate many Private Pools to Single Public IP on Router, and now I want to move all NAT to ASA 5510. Which exact NAT type will serve my task. 

ip nat inside source list ABC interface FastEthernet0/0 overload

ABC ( Have Multiple Private IP Subnets), 

There is more than one way of doing this.  I personally like using object NAT.

This is an example that will NAT anything in the 192.168.0.0/16 range.  You can create as many copies of this as you want, one for each internal network.

object network internal1-network
 subnet 192.168.0.0 255.255.0.0
object network internal1-network
 nat (any,outside) dynamic interface

If you want to NAT to a specific IP address interface of the outside interface IP address then use:

object network internal1-network
 nat (any,outside) dynamic a.b.c.d

Hi Philip

Just down with below config, am I good to go

object network Internal-Network
subnet 192.168.0.0 255.255.0.0
ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (any) to (OUTSIDE) source dynamic Internal-Network interface
translate_hits = 0, untranslate_hits = 0
ciscoasa#

route OUTSIDE 0.0.0.0 0.0.0.0 x.y.z.z 1

Give it a try.  I've never used auto-NAT.

Well I used IP instead of Interface, but then it refused as IP is already used by Interface, that is my outside interface

If you specify an IP address it has to be one on the outside interface not in use.  If you want to use the actual interface IP address, then use the example I gave, exactly.

Here is it - again.

object network internal-network
 nat (any,outside) dynamic interface

Hi Philip

It is on outside interface

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address X>X>X> Y>Y>Y>Y
ciscoasa#

Thanks Philip,

I will elaborate more, what we are required. 

Currently using CISCO Router for NAT, with FE0/0 and FE0/0.1, FE0/0.2, FE0/0.3 with having separate IP Sub-net such as 192.168.1.0/24, 192.168.10.0/24,192.168.20.0/24 and NAT is done via ACCESS LIST.

Let me share my current router config.

- ip nat inside source list GAX interface FastEthernet0/0 overload

- ip access-list extended GAX
- permit tcp any host 192.168.1.141 eq 902
- permit tcp any host 192.168.1.143 eq 5060
- permit ip 192.168.1.0 0.0.0.255 any
- permit ip 192.168.50.0 0.0.0.255 any
- permit ip 192.168.10.0 0.0.0.255 any

interface FastEthernet0/1
description USERS
no ip address
ip access-group 109 in
ip nat inside
ip inspect GAX in
ip inspect GAX out
ip virtual-reassembly
rate-limit input 15000000 2812500 2812500 conform-action transmit exceed-action drop
rate-limit output 15000000 2812500 2812500 conform-action transmit exceed-action drop
load-interval 30
duplex full
speed 100
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 1000
!
interface FastEthernet0/1.20
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.33
encapsulation dot1Q 33
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.50
description XXXXXXXX
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly

Now I did create sub-interface/VLAN on ASA Firewall, but still unable to NAT all to one Public IP.

Please suggest as per scenario.

The one object will do it just fine.

object network internal-network
 subnet 192.168.0.0 255.255.0.0
object network internal-network
 nat (any,outside) dynamic interface