NAT configuration assistance on ASA

lansingschools_ops · ‎12-17-2009

Is there a way to do NAT to for 3-4 different public address if the source is from a certain source address range. For example, our district haveelementary, middle, high school, and adminstration users, is there a way to NAT address from each of the different group to a different external address (with overload) so that we can utilize the service of Open DNS? If this

deployment can be done this way can someone please assist in this configuration. We have ASA 5520 running 8.02

Thanks

Jon Marshall · ‎12-17-2009

lansingschools_ops wrote:
Is there a way to do NAT to for 3-4 different public address if the source is from a certain source address range. For example, our district haveelementary, middle, high school, and adminstration users, is there a way to NAT address from each of the different group to a different external address (with overload) so that we can utilize the service of Open DNS? If this
deployment can be done this way can someone please assist in this configuration. We have ASA 5520 running 8.02
Thanks

Yes

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 2 192.168.20.0 255.255.255.0

nat (inside) 3 172.16.5.0 255.255.255.0

nat (inside) 4 172.16.10.0 255.255.255.0

global (outside) 1

global (outside) 2

global (outside) 3

global (outside) 4

the index numbers match up so 192.168.20.x users would get natted to ip address_2, 172.16.5.x users to ip address_3 etc..

Jon

PAUL GILBERT ARIAS · ‎12-17-2009

You can also try policy nat. Define the source networks on an ACL and then apply the ACL to the NAT command, for example:

access-l middle_school permit ip 10.10.1.0 255.255.255.0 any

nat (inside) 1 access-l middle_school

global (outside) 1

access-l high_school permit ip 10.10.2.0 255.255.255.0 any

nat (inside) 2 access-l middle_school

global (outside) 2

And so on...