Best Practice many to many NAT

Unanswered Question

I ahve a ASA 5510. We have a vendor that is requiring us to NAT 50 internal IPs to 50 of their IPs. We did static 1 to 1 NAT for a couple of these and yes it works....but 50 static 1 to 1 NAT there a better way. We can only change the config on our side they will not change anything on their side...please some advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Luis Melendrez Thu, 04/16/2009 - 13:01

You can still use static NAT but this time include the network instead of 1:1 IP address

static (real_ip,mapped_ip) real_ip mapped_ip netmask mask

static (inside,outside) 67.148.xx.xx netmask

lrm001c474 Thu, 04/16/2009 - 13:04

As far as I know, you have to do the individual entries.

Never Mind^

Collin Clark Thu, 04/16/2009 - 13:09

I don't currently have an ASA in the lab to test, but you should be able to do something like this-

global (vendor) 30 netmask

nat (inside) 30 access-list VENDOR

access-list VENDOR standard permit host

access-list VENDOR standard permit host


The 10.1.1.x addresses is the vendor IP's you need to translate to and the 192.168.1.x would be your internal IP's.

Collin Clark Thu, 04/16/2009 - 13:18

Correct. The ACL will list your internal IP's that should be mapped to the vendors IPs. The global NAT pool will assign an IP when one of the users from the ACL goes out the vendor interface. Your ACL would look like this-

access-list VENDOR standard permit host

access-list VENDOR standard permit host

The global would be-

global (vendor) 30 netmask

Luis Melendrez Thu, 04/16/2009 - 13:18

"if I NAT them they will not see our inside IP correct?"


If your inside IPs are all different and they don't follow a pattern, at least some blocks, your only option is to do one by one.


This Discussion