Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
396
Views
0
Helpful
0
Comments

Multiple PATs

krellinstitute
Level 1
Level 1

‎11-16-2009 06:39 AM - edited ‎03-08-2019 06:31 PM

Hello,

I'm having some trouble configuring an ASA 5510 (8.2(1)) for multiple dynamic PATs.  My network looks like this:

            DMZ

               |

WAN---ASA---LAN

               |

            GAN (Guest Network)

The WAN and DMZ use routable IP addresses, while the LAN uses 10.0.0.0/24 and the GAN uses 10.0.1.0/24.  Dynamic PAT for the LAN segment works perfectly, using the interface address on the DMZ and WAN for translation.  What I want is to have IP address aliases on each of the DMZ and WAN ASA interfaces used for the GAN PAT so that the LAN and GAN are distinguishable after translation.  Basically, if our GAN is abused, we want to make sure we can attribute the action to that segment.  Interface security levels are: WAN (0), GAN (25), DMZ (50), LAN (100).

In configuring this, I can make the LAN-WAN, LAN-DMZ, and GAN-DMZ translation work with:

nat (LAN) 1 10.0.0.0 255.255.255.0
global (WAN) 1 interface
global (DMZ) 1 interface
nat (GAN) 2 10.0.1.0 255.255.255.0 outside
global (WAN) 2 <WAN-GAN Alias>
global (DMZ) 2 <DMZ-GAN Alias>

but I can't get the GAN-WAN PAT to work.  What am I missing?
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents