Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
2
Replies

Static NAT entire subnet(s) to one public IP

Dennis Topo Jr
Level 1
Level 1

‎08-07-2015 07:52 AM - edited ‎03-05-2019 02:01 AM

I ran into a situation where one interface on an ASA was linked to another partners router via a public IP in order to service a web portal application. The LAN side interface of the ASA is connected to a private address space, and the entire address space was static natted to the one public interface IP connected to the partner network. This is how it was set up. I assume there was a reason to do it this way, and not PAT the public interface as is most times the case.

 

In other words  192.168.0.0 /16 ---->>>Static NAT--->>2.2.2.2(ASA-public) ----->2.2.2.1(next-hop router) ---->>>routed to----->>>3.3.3.3 (portal app)

 

Is it safe to assume that only one private IP connection at a time would be able to access the portal? Because I attempted connections from 2 machines on the private side, and was able to access to portal login page. Also ran simultaneous continues pings to the portal IP..... and no issues. It was translating both. I had always assumed this would not work, and you would need to PAT for this. ......????

 

Any clarification or sharing of similar experiences is appreciated ..... Dennis

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-07-2015 01:00 PM

Dennis

Can you post the actual NAT configuration ?

Jon

0 Helpful

Dennis Topo Jr
Level 1
Level 1
In response to Jon Marshall

‎08-11-2015 07:23 AM

Jon....Here's the NAT config.... pretty simple. Just looking for more of a confirmation on the static natting behavior 

nat (inside,outside) source static TSF-LAN TSF-LAN destination static Apptrix Apptrix description ***VPN NAT Bypass Rule***
nat (inside,outside) source static TSF-LAN TSF-LAN destination static TST-LAN TST-LAN description ***VPN NAT Bypass Rule***
nat (inside,outside) source static SMTP-Server-I SMTP-Server-E description ***Mail Server NAT***
nat (inside,airbus) source static TSF-LAN interface - existing- specific to site LAN IPs
nat (inside,airbus) source static TSF-Remote interface -existing- specific to VPN IP pool
nat (inside,airbus) source static MPLS-10x interface description MPLS 10x NAT to Airbus   - added to NAT rest of network 
nat (inside,airbus) source static MPLS-172.16x interface description MPLS 172.16x NAT to Airbus  - added to NAT rest of network 
nat (inside,airbus) source static MPLS-192.168x interface description MPLS 192.168x NAT to  Airbus - added to NAT rest of network 
nat (inside,outside) source dynamic TSF-LAN interface description ***Data LAN PAT Rule***
nat (guest,outside) source dynamic guest-net guest-pat description ***Guest LAN PAT Rule***

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card