Two separate NAT's

Unanswered Question
Aug 14th, 2007

I inherited a network with the following:

ATM(Internet and DSL subints)<-->7206<-->Firewall<--> internal network

The DSL subinterfaces are injected into the ATM circuit; they use 192.168.x.0 and 192.168.y.0 subnets. They are used by company employees for home network and internet connectivity. The internal network is configured for several other 192.168.Z.0 subnets. Each DSL subinterface is configured for NAT inside, as is the inside interface on the 7206 from the Firewall. The outside

interface on the 7206 handles the outside NAT.

Goal: we want to replace the firewall with an ASA, and move the NAT there from the 7206. However, this presents several challenges. First, we cannot remove the DSL subinterface connections yet (to be replaced with VPN connections). So, we have private addresses on the DSL connections on the outside of the firewall that need NAT for internet access. We feel confident

we can handle security and routing issues, but NAT is challenging.

Our plan is to handle NAT with two different policies, one for the internal network users, the other for the DSL users. One NAT policy would translate internal network users to one public

IP address on the external interface of the ASA, the other NAT policy would translate the DSL users to the existing NAT address on the external interface of the 7206. Our concern is having the traffic that is NAT'd from the ASA traversing the 7206, where another NAT OUTSIDE configuration resides.

If we carefully specify what address ranges are being NAT'd by each policy, will this work? If not, can anyone suggest an alternative? Thanks in advance. PD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Tue, 08/21/2007 - 06:05

For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing the Inside and the Outside interfaces), then you must configure a separate nat command without the outside option. In this case, you can identify the same addresses in both statements and use the same NAT ID.


This Discussion