Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
4
Helpful
2
Replies

NAT'ng to IP's not on the Outside Interface

Go to solution
JohnTylerPearce
Level 7
Level 7

‎05-06-2013 11:35 AM - edited ‎03-11-2019 06:39 PM

Hey Guys,

Let's say I have the following setup

<---LAN---><---ASA---><---ISP--->

On the ISP have the following networks.

150.10.20.0/24

150.10.30.0/24

150.10.40.0/24

The ASA is configured as such.

int e0/0

ip address 150.10.20.2 255.255.255.0

nameif outside

security-level 0

int e0/1

ip address 192.168.1.2 255.255.255.0

nameif inside

security-level 100

Is it possible to nat a user from an inside interface ip to the outside on ip 150.10.40.4, if that range is not configured on the outside interface?

Also, would it be best to use secondary IP addresses on the outside interface, or should it work without that?                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-06-2013 12:16 PM

Hi,

There is no problem using a secondary or even a third address range on the "outside" of the ASA.

Only one of the address range/subnet is configured on the "outside" interface between ASA and the ISP router.

In a situation where the ISP routes all the additional networks towards the "outside" IP address, there will be no problems.

However, if the additional address ranges / subnets have been configured directly on the ISP router interface towards the ASA as "secondary" address ranges then there is differences how different ASA software reach to this.

If your software is  8.4(2) or below you will have no problems

If your software is 8.4(3) you cant use the setup where ISP has the additional networks on their gateway interface as "secondary" address ranges

If your software is 8.4(4/5) and you want to use the address ranges / subnet configured on the ISP router as "secondary" address ranges then you will have to configure "arp permit-nonconnected" on the ASA as a global configuration. This will allow the ASA to populate its ARP table with nonconnected networks IP/MAC pairs.

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
sarish.amrithlall
Level 1
Level 1

‎05-06-2013 12:09 PM

Hi,

Yes it would be possible to use the ip, only if the ip is routed back to your outside interface ip.


Sent from Cisco Technical Support Android App

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-06-2013 12:16 PM

Hi,

There is no problem using a secondary or even a third address range on the "outside" of the ASA.

Only one of the address range/subnet is configured on the "outside" interface between ASA and the ISP router.

In a situation where the ISP routes all the additional networks towards the "outside" IP address, there will be no problems.

However, if the additional address ranges / subnets have been configured directly on the ISP router interface towards the ASA as "secondary" address ranges then there is differences how different ASA software reach to this.

If your software is  8.4(2) or below you will have no problems

If your software is 8.4(3) you cant use the setup where ISP has the additional networks on their gateway interface as "secondary" address ranges

If your software is 8.4(4/5) and you want to use the address ranges / subnet configured on the ISP router as "secondary" address ranges then you will have to configure "arp permit-nonconnected" on the ASA as a global configuration. This will allow the ASA to populate its ARP table with nonconnected networks IP/MAC pairs.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card