cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2513
Views
0
Helpful
10
Replies

NAT Group of IPADDRs

joshwa
Level 1
Level 1

I am wanting to give a group of IPADDRs there own Public IPADDRs. I have around 75 /26 address that are in every sites scope that I will need to set this for. Typically I place the guest traffic on their own /16 subnet and create on object network GUEST_PUB_IPADDR, subnet x.x.x.x /16, nat (inside,outside) dynamic P.P.P.P.

 

I would need to create 75 of these per site. Is there another way to NAT this group? 

 

1 Accepted Solution

Accepted Solutions

How would that look code wise. Is the above configurations correct that I had previously?

View solution in original post

10 Replies 10

If I understand correctly you are looking for another way to NAT 75 addresses / subnets per site?

You could group them into an object group and use.

object-group network NAT_Grp

 network-object 10.1.1.0 255.255.255.0

 network-object 10.1.2.0 255.255.255.0

 network-object 10.1.3.0 255.255.255.0

 

 nat (inside,oustide) after-auto source dynamic NAT_Grp interface

--
Please remember to select a correct answer and rate helpful posts

I am NATing these IPADDR to a separate, specific IPADDR just for the Guest traffic. All other traffic have a NAT to get out using a NAT statement to a Public IPADDR P.P.P.20, for the corp user. Guest would go out P.P.P.25.



I have to apply the NAT to only this group. 



I need NAT_Grp to have Public IPADDR of P.P.P.25

object-group network NAT_Grp

 network-object 10.1.1.0 255.255.255.0

 network-object 10.1.2.0 255.255.255.0

 network-object 10.1.3.0 255.255.255.0





That that I have currently is:

nat (inside,outside) after-auto source dynamic any pat-pool DEFAULT_PUBLIC



I currently have below but it is not working. I think the above is taking precedence. 

nat (inside,outside) after-auto source dynamic NAT_Grp pat-pool GUEST_WIFI_PUBLIC

Is the NAT statement for NAT_Grp object group below the other NAT statement? If yes then this is why it is not being matched.  You need to move the statement above that statement...as follows:

 

nat (inside,outside) after-auto source dynamic NAT_Grp pat-pool GUEST_WIFI_PUBLIC

nat (inside,outside) after-auto source dynamic any pat-pool DEFAULT_PUBLIC

 

In the second statement you are matching any IP so if the NAT_Grp NAT is below it will never be hit.

--
Please remember to select a correct answer and rate helpful posts

How can I move the NAT statement without affecting current production? 

 

I am assuming I will need to remove the any NAT statement?

venkat_n7
Level 1
Level 1

are you talking about each individual remote sites that should be configured with NAT from private to public IP?

Please rate comments and support
with regards,
Venkat

Each site will be using 1 Public IPADDR allocated for Guest that will be seen on the internet. I would like to move the Guest traffic to its own because in the past I had a Guest user get the Public IPADDR Blacklisted. It was tired to the production network Public IPADDR and had to move many services off to another IPADDR to get things working.

If that was the case and your are routing guest network directly to connected isp, you should be doing those NAT statements for each site. I think this is manual process to do for each site. i know doing this for 75 sites will take time but i think there is no other option. 

i recommend to use scripting to do this, as all remote site's firewalls are reachable to you. This is simple job but takes time to do it.

Note: above process depends on the way you route the traffic from remote sites. 

Please rate comments and support
with regards,
Venkat

If you are using the same public IP for all the guest networks then you just need to create one guest object-group and place all the relevant subnets into that group.  Then configure NAT for that object group.  A little work that needs to be done, but once it is in place any new guest network would just need to be added to that object group and they are good to go..NAT wise.

--
Please remember to select a correct answer and rate helpful posts

How would that look code wise. Is the above configurations correct that I had previously?

The code I posted earlier will do the trick if you are using the same public IP for all guest networks.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: