Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
4
Replies

nating a public ip to a public ip

cstpierre4
Level 1
Level 1

‎09-16-2015 06:40 AM - edited ‎03-11-2019 11:36 PM

Hello,

 

we have a firewall with a few interfaces. there is a basic nat setup from inside to outside for internet. We are going to be routing a public block through this firewall for internet. The reason is there is a content filter appliance inline for filtering. So instead of re-iping the existing network.. we are going to just route it through the firewall and filter.

My question is it ok to treat the internal public IP as a private net and nat it to the outside interface of the firewall like we do with the rest of the networks? or should I try to do a no nat?

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎09-16-2015 10:53 AM

It's really up to you and whatever works best in your setup.

There is nothing special about a public IP ie. there is no reason why you cannot NAT a public IP to another public IP.

A lot depends on the routing in place ie. if you didn't NAT then would the return traffic to those public IPs be routed to the outside interface of your firewall.

It's not really clear exactly how all this fits together from your initial description.

Perhaps you could provide some more details ?

Jon

0 Helpful

cstpierre4
Level 1
Level 1
In response to Jon Marshall

‎09-16-2015 11:09 AM

Cool. got it.. I was looking at it from an ASA perspective to make sure i can nat public to another public.

 

But basically we have network that has raw internet...and instead of re-iping everything on it. We decided to just give it a default route to this firewall which has a content filter appliance inline of it.. for web filtering as security is concerned about no content filtering..

 

Thanks!

0 Helpful

cstpierre4
Level 1
Level 1
In response to cstpierre4

‎09-16-2015 11:10 AM

what would be a no nat statement on an ASA for a specific subnet to not be nated to the outside interface?

 

Cisco Adaptive Security Appliance Software Version 8.4(2)8
Device Manager Version 6.4(5)

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to cstpierre4

‎09-17-2015 04:00 AM

Hi,

On ASA 8.2 and below:-

Access-list nonat permit 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

nat (inside) 1 access-list nonat

So , in ASA 8.3 + , you have to use Manual NAT statements for the same.

Create Objects.

object network Source_Network

subnet 10.1.1.0 255.255.255.0

object network Destination_Network

subnet 10.2.1.0 255.255.255.0

nat (inside,outside) source static Source_Network Source_Network destination static Destination_Network Destination_Network no-proxy-arp route-lookup

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card