Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
1
Replies

Identitiy NAT example

dwesterhouse
Level 1
Level 1

‎08-29-2011 01:02 PM - edited ‎03-11-2019 02:18 PM

I'm a little confused about doing a translation using static identitiy NAT.

I have a prorietary router that I would like to move behind my firewall (ASA 8.2x). Right now it runs in parallel with my router from a DMZ switch. I have change ISPs and the location the connection comes into my building so this confiugration is less than desirable.

The vendor requires a static public address. So I am hoping/assuming a regular NAT statement of:

static (Inside,Outside) 72.12.206.211 192.168.1.xx netmask 255.255.255.255

will work since the routers inside interface connectes to my inside LAN network anyway.

However, if they insist on having a Non-Nat'ed Public IP how do you do that?

I have researched Static Identity NAT that shows the following:

72.12.206.211 (outside) FW (inside) 72.12.206.211  

and they show a static statement of static (Outside,Inside) 72.12.206.211 72.12.206.211 netmask 255.255.255.255

How do you set up the nat statements for this configuration? Do you assigne the "external" IP address to the router even though it is behind the firewall (which is what I am asuming). Is there a better technique to do this?

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎08-29-2011 04:27 PM

Nope, Not really.

Basically If you need to put this Router behind the ASA, it will separate two broadcast domains, 72.12.206.211/? and 192.168.1.?. That being said, you will need to put the Router with an IP 192.168.1.x and NAT 72.12.206.211. Everyone will see the router 192.168.1.x with the public, except for the inside hosts. That should not be an issue.

Now, if you want to keep using that IP, there is nothing much you can do on the firewall, lets say that you put the router on the inside with 72.12.206.211,  and the inside interface of the firewall is 192.168.1.x. When the router sends the ARP request to send packets to his default gateway, nobody is going to answer since it is place on a totally different domain.

This would work if you would need to have an inside host, going to the outside without natting, that way you should put something like this

static (inside,outside) 192.168.1.1 192.168.1.1

That way, the firewall will just translate the IP to itself. In that case it works, since the host is in place on the inside and everyone has an IP on the 192.168.1.x

Hope this makes sense.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card