01-21-2014 01:45 AM - edited 03-11-2019 08:33 PM
Hi,
I have an ASA 5505 firewall. It was requested that when accessing internet, internal users get NAT translated to a public IP. There has to be a one-to-one translation between internal and outside IP addresses. Is it possible to do static NAT translations from the inside clients (with multiple private IP addresses) to multiple outside (private) addresses? Will the ASA accept that the outside interface will have multiple IP public addresses?
Thanks,
Tiziana
Solved! Go to Solution.
01-21-2014 05:20 AM
Hi,
Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.
Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)
If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.
- Jouni
01-21-2014 03:05 AM
Tiziana
Yes you can do this and you do not need to assign the public IPs to an actual interface you simply use them in your NAT statements. So the ASA would only have on outside interface with one public IP. As long as the ISP who assigned you the block is routing traffic for any of those IPs to the outside interface of your firewall it will work fine.
That said, if you have a lot of private IPs you are going to need a lot of public IPs which could be quite wasteful of public addressing but like i say if you have them then yes it will work.
Jon
01-21-2014 03:07 AM
Hi,
Can you clarify.
You first mention that you require Private to Public Static one-to-one NAT configurations and then mention that its Private to Private?
I presume that you mean that you want to give hosts their own public IP address with the Static NAT (also possible with Dynamic NAT but naturally the public IP aquired is random)
There is no limination how many Static NATs you can configure (any realistic ones for most situations) on the ASA. The main problem usually is the amount of public IP addresses you have available.
So as long as you have the available public IP addresses then the amount of those IP addresses is the only limit on how many Static NAT you can configure between the Private and Public networks.
- Jouni
01-21-2014 05:06 AM
Sorry about the typo...I meant private to public one-to-one NAT translations. Yes, we want to give internal hosts there own public IP addresses, because these will in turn go to a WAN connection. Hosts will be monitored regarding web usage, hence the need for static translations. Will there be an increase in load on the ASA?
What if I want to do a static NAT from one private to another private subnet?
Thanks.
01-21-2014 05:20 AM
Hi,
Static NAT and NAT is a very essential part of the firewalls operation/role. So no, the translations should not cause any problems for you. I think you would have to have quite a considerable amount of NAT configurations to have effect on the device performance. Naturally there is some effect but its never something that I have had to worry.
Currently for example I am migrating a ASA firewall and creating a new NAT configuration for the firewall by hand which has around 1250 lines of NAT configurations (nat, global, static)
If you want to NAT a complete Private network to another Private network then that is no problem. It depends on the situation and purpose of the NAT really. If you are doing some kind of NAT towards a L2L VPN then it will have to be a Static Policy NAT so that it only applies for the L2L VPN. A normal Static NAT in this situation would override Dynamic PAT for the users and stop Internet traffic.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide