08-14-2007 07:54 PM - edited 03-09-2019 06:35 PM
I inherited a network with the following:
ATM(Internet and DSL subints)<-->7206<-->Firewall<--> internal network
The DSL subinterfaces are injected into the ATM circuit; they use 192.168.x.0 and 192.168.y.0 subnets. They are used by company employees for home network and internet connectivity. The internal network is configured for several other 192.168.Z.0 subnets. Each DSL subinterface is configured for NAT inside, as is the inside interface on the 7206 from the Firewall. The outside
interface on the 7206 handles the outside NAT.
Goal: we want to replace the firewall with an ASA, and move the NAT there from the 7206. However, this presents several challenges. First, we cannot remove the DSL subinterface connections yet (to be replaced with VPN connections). So, we have private addresses on the DSL connections on the outside of the firewall that need NAT for internet access. We feel confident
we can handle security and routing issues, but NAT is challenging.
Our plan is to handle NAT with two different policies, one for the internal network users, the other for the DSL users. One NAT policy would translate internal network users to one public
IP address on the external interface of the ASA, the other NAT policy would translate the DSL users to the existing NAT address on the external interface of the 7206. Our concern is having the traffic that is NAT'd from the ASA traversing the 7206, where another NAT OUTSIDE configuration resides.
If we carefully specify what address ranges are being NAT'd by each policy, will this work? If not, can anyone suggest an alternative? Thanks in advance. PD
08-21-2007 06:05 AM
For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing the Inside and the Outside interfaces), then you must configure a separate nat command without the outside option. In this case, you can identify the same addresses in both statements and use the same NAT ID.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide