I inherited a network with the following:
ATM(Internet and DSL subints)<-->7206<-->Firewall<--> internal network
The DSL subinterfaces are injected into the ATM circuit; they use 192.168.x.0 and 192.168.y.0 subnets. They are used by company employees for home network and internet connectivity. The internal network is configured for several other 192.168.Z.0 subnets. Each DSL subinterface is configured for NAT inside, as is the inside interface on the 7206 from the Firewall. The outside
interface on the 7206 handles the outside NAT.
Goal: we want to replace the firewall with an ASA, and move the NAT there from the 7206. However, this presents several challenges. First, we cannot remove the DSL subinterface connections yet (to be replaced with VPN connections). So, we have private addresses on the DSL connections on the outside of the firewall that need NAT for internet access. We feel confident
we can handle security and routing issues, but NAT is challenging.
Our plan is to handle NAT with two different policies, one for the internal network users, the other for the DSL users. One NAT policy would translate internal network users to one public
IP address on the external interface of the ASA, the other NAT policy would translate the DSL users to the existing NAT address on the external interface of the 7206. Our concern is having the traffic that is NAT'd from the ASA traversing the 7206, where another NAT OUTSIDE configuration resides.
If we carefully specify what address ranges are being NAT'd by each policy, will this work? If not, can anyone suggest an alternative? Thanks in advance. PD