Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
236
Views
0
Helpful
1
Replies

Two separate NAT's

pdriscoll
Level 1
Level 1

‎08-14-2007 07:54 PM - edited ‎03-09-2019 06:35 PM

I inherited a network with the following:

ATM(Internet and DSL subints)<-->7206<-->Firewall<--> internal network

The DSL subinterfaces are injected into the ATM circuit; they use 192.168.x.0 and 192.168.y.0 subnets. They are used by company employees for home network and internet connectivity. The internal network is configured for several other 192.168.Z.0 subnets. Each DSL subinterface is configured for NAT inside, as is the inside interface on the 7206 from the Firewall. The outside

interface on the 7206 handles the outside NAT.

Goal: we want to replace the firewall with an ASA, and move the NAT there from the 7206. However, this presents several challenges. First, we cannot remove the DSL subinterface connections yet (to be replaced with VPN connections). So, we have private addresses on the DSL connections on the outside of the firewall that need NAT for internet access. We feel confident

we can handle security and routing issues, but NAT is challenging.

Our plan is to handle NAT with two different policies, one for the internal network users, the other for the DSL users. One NAT policy would translate internal network users to one public

IP address on the external interface of the ASA, the other NAT policy would translate the DSL users to the existing NAT address on the external interface of the 7206. Our concern is having the traffic that is NAT'd from the ASA traversing the 7206, where another NAT OUTSIDE configuration resides.

If we carefully specify what address ranges are being NAT'd by each policy, will this work? If not, can anyone suggest an alternative? Thanks in advance. PD

Labels:
0 Helpful
1 Reply 1

hadbou
Level 5
Level 5

‎08-21-2007 06:05 AM

For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing the Inside and the Outside interfaces), then you must configure a separate nat command without the outside option. In this case, you can identify the same addresses in both statements and use the same NAT ID.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents