cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1459
Views
5
Helpful
3
Replies

Use the same NAT pool on different ASA external interfaces

jpl861
Level 4
Level 4

Let's say I have one /24 public address and it's a provider independent one. We aren't using this /24 space but only for NAT translations to clients and not being advertised to internet.

 

However, let's say I have a client (client_a) and they dropped a circuit into our DC. They require 1:1 dynamic NAT translation from us. So our /24 subnet_a must be 1:1 NAT translated when we access client_a network.

 

At the same time, we have a new client (client_b) who also requires the same thing. They will be connected to a different firewall interface/sub-interface but I will use the same /24 NAT pool that I used for client_a but the source is a different subnet, subnet_b, and of course the destination is different, client_b.

 

I just want to know if this will work as we are trying to conserve the public addresses that we are using if the goal is the same thing. They both say that our public IP of us will only live in their private network and will not be leaked out.

 

Thanks!

3 Replies 3

Hi John,

 

Something like this?

 

nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2


- Not configured under and object, rather under global config

 

Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.

 

HTH


@Rob Ingram wrote:

Hi John,

 

Something like this?

 

nat (INSIDE,OUTSIDE) source dynamic LAN_1 NAT_POOL destination static PARTNER1 PARTNER1
nat (INSIDE,OUTSIDE) source dynamic LAN_2 NAT_POOL destination static PARTNER2 PARTNER2


- Not configured under and object, rather under global config

 

Obviously you'd need to change the interface nameif to match your enrvironent and create the relevant objects.

 

HTH


Yeah something like that. Or something like this.

 

object network public_pool

 range x.x.x.1 x.x.x.254

 

object network subnet_a

 subnet 192.168.0.0 255.255.255.

 nat (inside,client_a) dynamic public_pool

 

object network subnet_b

 subnet 192.168.1.0 255.255.255.

 nat (inside,client_b) dynamic public_pool


So the same public range that lives on different sub-interfaces of the firewall. That way I can conserve IP addresses.

I found a lab firewall and tested both dynamic and static NAT and it worked fine. No real traffic tested but at least the ASA did not give an error or warning.

Review Cisco Networking for a $25 gift card