Dynamic NAT vs Static

Answered Question
Aug 15th, 2007
User Badges:

Hi everyone. I have an ASA with three interfaces. I have a NAT and Global statement that translates all my traffic destined for a server on DMZ interface appear as if it is coming from 10.0.0.10. I have another group of users who need to go to the same server on DMZ, but their source address needs to be 10.0.0.11. I was trying not to modify my NAT global statement and use a static translation. Is there a way to do this. This is the ASA config:

global (dmz) 5 10.0.0.10

nat (inside) 5 0.0.0.0 0.0.0.0


Correct Answer by Jon Marshall about 9 years 7 months ago

Hi


if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network


access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"


nat (inside) 6 access-list natusers

global (dmz) 10.0.0.11


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 08/15/2007 - 11:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network


access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"


nat (inside) 6 access-list natusers

global (dmz) 10.0.0.11


HTH


Jon

vantipov Wed, 08/15/2007 - 11:46
User Badges:

Jon, thanks for a fast response. My fear was that ASA will screem at me that scope is overalping with 0.0.0.0 0.0.0.0. I will try your suggestion right now.

Jon Marshall Wed, 08/15/2007 - 11:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


No it should be fine. I forgot to mention that you can use a static statement with policy NAT as well, it's just i don't normally do it this way eg.


access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"


static (inside,dmz) 10.0.0.11 access-list natusers


HTH


Jon

vantipov Wed, 08/15/2007 - 12:02
User Badges:

Looks like the commands went in fine. It will take me a little bit of time to test the actual connectivity, but I think that will work. Jon, thanks a bunch.

P.S.: I did the dynamic nat.

Actions

This Discussion