Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
3
Replies

Nat inside to outside, IP not in same subnet as outside IP

Go to solution
NathFoley11
Level 1
Level 1

‎04-16-2015 02:02 PM - edited ‎03-11-2019 10:47 PM

I already posted this but cant seem to find the post now, so re-posting.

 

We have 10 IP's being NAT'd, all working ok.  I need a servers outbound source address to be translated to an IP that is not in the same subnet as the outside IP:

 

Outside IP = 193.xxx.xxx.99/23

Translated IP = 195.xxx.xxx.64/24

 

I have created the NAT rule to translate traffic source address from 192.168.2.55 to 195.xxx.xxx.64 packet trace shows it getting through, but this is not working in practice.  The host that I have set the NAT rule up for can no longer access wan.

Is this possible on an ASA?  

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pranay Prasoon
Level 3
Level 3

‎04-16-2015 03:14 PM

This should work fine, provided the other Network is advertised by ISP and traffic comes back to ASA.

 

There were few restriction on some ASA software (8.4.3) though, rest most of the version works fine with "arp permit-nonconnected" starting from 8.4.5.

 

On 8.2 you don't need this command, it simply works fine.

 

Thanks.

 

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pranay Prasoon
Level 3
Level 3

‎04-16-2015 03:14 PM

This should work fine, provided the other Network is advertised by ISP and traffic comes back to ASA.

 

There were few restriction on some ASA software (8.4.3) though, rest most of the version works fine with "arp permit-nonconnected" starting from 8.4.5.

 

On 8.2 you don't need this command, it simply works fine.

 

Thanks.

 

 

 

 

0 Helpful

Go to solution
NathFoley11
Level 1
Level 1
In response to Pranay Prasoon

‎04-16-2015 04:50 PM

Excellent, I was missing the arp permit-nonconnected.

 

Thanks for your help, if anyone comes across this thread, there is a good explanation into the command arp permit-nonconnected here:

https://supportforums.cisco.com/discussion/11848306/arp-permit-nonconnected

0 Helpful

Go to solution
Hozaifa Samad
Level 1
Level 1

‎04-16-2015 03:55 PM

It should work. I'd run capture on the outside and see if the packet is leaving the ASA and it's coming back or not. If it is, then it's ASA config within the NAT, and you need to look at proxy-arp parameter. If the packet doesn't come back, then it's maybe the router outside the ASA. You might need to take care of manual arp (ASA outside MAC and the new translate IP) and the routing to the new subnet back to ASA outside IP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card