Solved: NAT multiple public IPs from the same ISP to specific interface or subnet

Davenger · ‎10-25-2018

Hello,

I currently have multiple interfaces on my ASA that are tied to different VLANs with specific access controls between them. These VLANs all NAT through a single outside adapter (20.20.20.1). This address came in a block of 5 from the ISP 20.20.20.1-20.20.20.5.

I am looking to take 2 of the VLANs and perform two additional, one to many translations so that access from these VLANs will go out under a different public address.

Let's say:

VLAN1-5 - 20.20.20.1

VLAN6 - 20.20.20.2

VLAN7 - 20.20.20.3

The reason behind this is we have the 20.20.20.1 address added to some public whitelists that we don't want the other two VLANs to access.

I attempted to create another Outside interface with one of the spare IPs but was unable due to the original Outside interface existing in the same subnet.

I'm really new to more advanced NATing so any help is much appreciated.

Extra info:

I'm running an ASA 5515 with version 9.6(4)

Rob Ingram · ‎10-25-2018

Hi,
How about something like this:-

object network VLAN5
Subnet 10.1.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.1

object network VLAN6
Subnet 10.2.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.2

object network VLAN7
Subnet 10.3.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.3

HTH

View solution in original post

Rob Ingram · ‎10-25-2018

Hi,
How about something like this:-

object network VLAN5
Subnet 10.1.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.1

object network VLAN6
Subnet 10.2.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.2

object network VLAN7
Subnet 10.3.1.0 255.255.255.0
Nat (inside,outside) dynamic 20.20.20.3

HTH

Davenger · ‎10-25-2018

Thanks so much! I knew I was overthinking this. That worked like a charm!