NAT Question

Unanswered Question
May 19th, 2009

I have a general NAT question I hope you can help us with. We are converting from a large public ip address block (no NAT whatsoever) into a private address space using a combination of NAT / PAT, etc.

I think the ASA can do this without issue (version 8.04), but want to verify. On the Outside interface I have a completely different subnet than the public space I have inside. (Basically a /30 on the outside to the provider and a large /19 on the inside). Now, can I NAT this /19 to the Outside interface even though is is on a different subnet than the /30 assigned to the Outside?

Example (ip's changed to preserve the innocent):

Outside IP = /30 (apologies to whoever owns this space)

Inside IP = /19 (more apologies)

Can I NAT that /19 to the Outside without issue?

Thanks for your assistance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Tue, 05/19/2009 - 08:25


Yes no problem. I'm assuming you mean hide all the addresses behind ?

If so

nat (inside) 1

global (outside) 1 interface

If i have misunderstood let me know.


jim_berlow Tue, 05/19/2009 - 08:38

Thanks, Jon - that is part of it.

How about if we have public servers on an IP address example (SMTP)? Can I simply create a statement like this and will this work? This host is currently assigned the public IP right on its tcp/ip stack and it will now be assigned a private address like (assume I have done all the routing inside correctly, etc).

static (Inside,Outside) tcp 25 25 netmask

Thanks for your help,


Jon Marshall Tue, 05/19/2009 - 08:41


As long as any requests for are routed to the outside interface of your ASA from the Internet then yes you should be fine.



This Discussion