Solved: Nat 1 public ip to multiple private ip

Chin · ‎06-13-2013

HI Guys,

Just wondering my configuration for nat 1 public ip to multiple private ip is working or not.

Currently I am using 8.2 ASA version. Here is my configuration.

Public IP: 10.10.10.28

Private IPs:

172.16.101.115

172.16.101.116

172.16.101.117

172.16.101.118

172.16.101.119

172.16.101.120

Nat configure in ASA

access-list Web_nat permit ip host 172.16.101.115 any

access-list Web_nat permit ip host 172.16.101.116 any

access-list Web_nat permit ip host 172.16.101.117 any

access-list Web_nat permit ip host 172.16.101.118 any

access-list Web_nat permit ip host 172.16.101.119 any

access-list Web_nat permit ip host 172.16.101.120 any

static (fw-internal,firewall-public) 10.10.10.28 access-list Web_nat

Please correct me if my configuration was wrong.

Julio Carvajal · ‎06-13-2013

Hello Tommy,

When we use Static statements is to make the NAT bidirectional, a dedicated one to one translation.

In this case as u are mapping multiple host to just one single IP address I would recommend Policy-Nat instead

nat (fw-internal) 10 access-list Web_nat

Global (firewall-public) 10 10.10.10.28

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-13-2013

Hello Tommy,

When we use Static statements is to make the NAT bidirectional, a dedicated one to one translation.

In this case as u are mapping multiple host to just one single IP address I would recommend Policy-Nat instead

nat (fw-internal) 10 access-list Web_nat

Global (firewall-public) 10 10.10.10.28

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chin · ‎06-13-2013

Hi Jcarvaja,

Thanks for your reply. If i using the Policy-Nat, how do i control the inbound and outbound for it?

Julio Carvajal · ‎06-13-2013

Hello Tommy,

What do u mean by inbound,

In order to use a NAT statement to be bi-directional you must use an static NAT or a Nat-0 rule,

The thing with the Static NAT you have configured is that when the ASA receives a packet with the public ip address how is it going to know to which internal host to send it?? If it has more than one?

Do u see the problem here, the ASA will not perform any kind of round-robin here so if you want to perform a static nat to control Outbound/Inbound traffic use a dedicated IP address for each host,

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chin · ‎06-13-2013

Hi Jcarvaja,

Now i got it, I found that ASA cannot find the specified internal host if i use the static nat. Thanks for you help and appreciate.

Julio Carvajal · ‎06-13-2013

Hello Tommy,

It's always a pleasure to help,

I hope u have a great night,

Any other question just let me know,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chin · ‎06-25-2013

Hi Jcarvaja,

I have another question for dynamic nat inbound ruleset.

Since I have configured the dynamic nat like above. How do I specify the inbound ruleset for this dynamic nat.

i.e allow internet cloud connect to 10.10.10.28 with tcp/443

access-list firewall-outbound permit tcp any host 10.10.10.28 eq 443.