Hello,
I'm having some trouble configuring an ASA 5510 (8.2(1)) for multiple dynamic PATs. My network looks like this:
DMZ
|
WAN---ASA---LAN
|
GAN (Guest Network)
The WAN and DMZ use routable IP addresses, while the LAN uses 10.0.0.0/24 and the GAN uses 10.0.1.0/24. Dynamic PAT for the LAN segment works perfectly, using the interface address on the DMZ and WAN for translation. What I want is to have IP address aliases on each of the DMZ and WAN ASA interfaces used for the GAN PAT so that the LAN and GAN are distinguishable after translation. Basically, if our GAN is abused, we want to make sure we can attribute the action to that segment. Interface security levels are: WAN (0), GAN (25), DMZ (50), LAN (100).
In configuring this, I can make the LAN-WAN, LAN-DMZ, and GAN-DMZ translation work with:
nat (LAN) 1 10.0.0.0 255.255.255.0
global (WAN) 1 interface
global (DMZ) 1 interface
nat (GAN) 2 10.0.1.0 255.255.255.0 outside
global (WAN) 2 <WAN-GAN Alias>
global (DMZ) 2 <DMZ-GAN Alias>
but I can't get the GAN-WAN PAT to work. What am I missing?