Pretty sure this won't work, but... ASA 5540 static NAT public IP to private remote MPLS host

Level 1
We have two ISP entry points (two separate networks, no BGP for the WAN IP's) on our network connected by an MPLS cloud.

(Teh Internets) <--> [Edge Router A] <--> [ASA 5510 A] <--> [Layer 3 Core Switch w/hosts A] <--> [MPLS Router A]  <--> [MPLS Router B] <--> [Layer 3 Core Switch with hosts B] <--> [ASA 5540 B] <--> [Edge Router B] <--> (Teh Internets again!)

Essentially, my question is:

Can we create a static Public to Private NAT Translation from a public address on [ASA 5540 B] to a host on [Layer 3 Core Switch with hosts A]?

Let's say the outside IP is, the inside interface is and the MPLS host is

The desired translation is: 

static (inside,outside) netmask dns

We can ping the host in question from the inside interface of [ASA 5540 B].

Currently, I'd imagine this not working because ultimately one of the routers would see a request from and continue routing it back to segment A, and it would never get back to segment B.  There's a couple of ways around this, and all involve using a private IP on host B for the translation, but I don't want to create a bunch of NAT statements across our MPLS network.

Again, I don't think this can work, but I'm hoping again hope that there's a way.


1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

The answer to your question is yes, you can NAT host A on ASA 5540 B.

However, how are you routing the traffic from host A. What is the default gateway for host A? If default gateway for host A is the MPLS Router A, and it routes towards MPLS Router B and so on towards Internet B, then yes, it would all work.

However, if default gateway of host A is ASA 5510A, then you might need to change the default gateway to MPLS Router A, and if MPLS Router A default route is somewhere else but MPLS Router B, then you might want to do some PBR for hostA so it is being routed towards ASA5540B.

