Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
5
Helpful
3
Replies

Use the same NAT pool on different ASA external interfaces

jpl861
Level 4
Level 4

‎07-30-2018 06:58 AM - edited ‎02-21-2020 08:02 AM

Let's say I have one /24 public address and it's a provider independent one. We aren't using this /24 space but only for NAT translations to clients and not being advertised to internet.

 

However, let's say I have a client (client_a) and they dropped a circuit into our DC. They require 1:1 dynamic NAT translation from us. So our /24 subnet_a must be 1:1 NAT translated when we access client_a network.

 

At the same time, we have a new client (client_b) who also requires the same thing. They will be connected to a different firewall interface/sub-interface but I will use the same /24 NAT pool that I used for client_a but the source is a different subnet, subnet_b, and of course the destination is different, client_b.

 

I just want to know if this will work as we are trying to conserve the public addresses that we are using if the goal is the same thing. They both say that our public IP of us will only live in their private network and will not be leaked out.

 

Thanks!

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎07-30-2018 07:06 AM

Hi John,

 

Something like this?

 

nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2


- Not configured under and object, rather under global config

 

Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.

 

HTH

jpl861
Level 4
Level 4
In response to Rob Ingram

‎07-30-2018 07:11 AM

@Rob Ingram wrote:

Hi John,

 

Something like this?

 

nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2


- Not configured under and object, rather under global config

 

Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.

 

HTH

Yeah something like that. Or something like this.

 

object network public_pool

 range x.x.x.1 x.x.x.254

 

object network subnet_a

 subnet 192.168.0.0 255.255.255.

 nat (inside,client_a) dynamic public_pool

 

object network subnet_b

 subnet 192.168.1.0 255.255.255.

 nat (inside,client_b) dynamic public_pool


So the same public range that lives on different sub-interfaces of the firewall. That way I can conserve IP addresses.

0 Helpful

jpl861
Level 4
Level 4
In response to jpl861

‎07-30-2018 07:58 AM

I found a lab firewall and tested both dynamic and static NAT and it worked fine. No real traffic tested but at least the ASA did not give an error or warning.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card