07-30-2018 06:58 AM - edited 02-21-2020 08:02 AM
Let's say I have one /24 public address and it's a provider independent one. We aren't using this /24 space but only for NAT translations to clients and not being advertised to internet.
However, let's say I have a client (client_a) and they dropped a circuit into our DC. They require 1:1 dynamic NAT translation from us. So our /24 subnet_a must be 1:1 NAT translated when we access client_a network.
At the same time, we have a new client (client_b) who also requires the same thing. They will be connected to a different firewall interface/sub-interface but I will use the same /24 NAT pool that I used for client_a but the source is a different subnet, subnet_b, and of course the destination is different, client_b.
I just want to know if this will work as we are trying to conserve the public addresses that we are using if the goal is the same thing. They both say that our public IP of us will only live in their private network and will not be leaked out.
Thanks!
07-30-2018 07:06 AM
Hi John,
Something like this?
nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2
- Not configured under and object, rather under global config
Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.
HTH
07-30-2018 07:11 AM
@Rob Ingram wrote:
Hi John,
Something like this?
nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2
- Not configured under and object, rather under global config
Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.
HTH
Yeah something like that. Or something like this.
object network public_pool
range x.x.x.1 x.x.x.254
object network subnet_a
subnet 192.168.0.0 255.255.255.
nat (inside,client_a) dynamic public_pool
object network subnet_b
subnet 192.168.1.0 255.255.255.
nat (inside,client_b) dynamic public_pool
So the same public range that lives on different sub-interfaces of the firewall. That way I can conserve IP addresses.
07-30-2018 07:58 AM
I found a lab firewall and tested both dynamic and static NAT and it worked fine. No real traffic tested but at least the ASA did not give an error or warning.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide