Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
1
Replies

NAT of two private subnets to one public subnet

castlen37
Level 1
Level 1

‎01-27-2011 04:19 PM - edited ‎03-11-2019 12:41 PM

I'm using an ASA 5510 with 8.2(1) and want to know if something is possible.

Assume the following scenario:

I have two private subnets: 10.10.1.0/24 and 10.10.2.0/24.

I have one public subnet: 172.168.1.0/24 (not really public, I know, but this just an example).

I want to NAT both private subnets to the public one, BUT (and here's the catch) I want the last octet of each private address to be retained in the translation. For example: 10.10.1.20 will always be mapped to 172.168.1.20, as will 10.10.2.20.

I know I can this for translating one private subnet to one public one using a static NAT:

static (inside,outside) 172.168.1.0 10.10.1.0 netmask 255.255.255.0

But I can't have two static NATs pointing to the same public addresses.

If I use dynamic NAT, I can translate both private subnets to the one public subnet but there does not seem to be any way of forcing addresses to be assigned "in order" so that, for example, 10.10.1.20 will always be mapped to 172.168.1.20 as desired.

The only solution that I can see is to create two nat and one global rule for every public address in the subnet, e.g.:

nat (inside) 1 10.10.1.1

nat (inside) 1 10.10.2.1

global (outside) 1 172.168.1.1

.

.  (757 lines skipped)

.

nat (inside) 253 10.10.1.253

nat (inside) 253 10.10.2.253

global (outside) 253 172.168.1.253

This will probably work, but it's very inelegant and may well affect the ASA's perfomance.

Anyone have any other ideas, or am I asking for the impossible?

Regards,

Nigel

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-27-2011 06:08 PM

Hi,

You cannot use the static NAT as you said because the IPs are statically NATed and it will give you an overlapping error.

This said, you can use dynamic NAT, but to force the same IP to the same address you should do it how you mentioned it.

I know that version 8.3 has a lot of enhancements to NAT, but I'm not sure if there's a way to do this besides the method you gave.

Just out of curiosity... is there any special reason to want to do this?

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card