NAT Question

Unanswered Question
May 19th, 2009

I have a general NAT question I hope you can help us with. We are converting from a large public ip address block (no NAT whatsoever) into a private address space using a combination of NAT / PAT, etc.

I think the ASA can do this without issue (version 8.04), but want to verify. On the Outside interface I have a completely different subnet than the public space I have inside. (Basically a /30 on the outside to the provider and a large /19 on the inside). Now, can I NAT this /19 to the Outside interface even though is is on a different subnet than the /30 assigned to the Outside?

Example (ip's changed to preserve the innocent):

Outside IP = 23.2.2.2 /30 (apologies to whoever owns this space)

Inside IP = 167.2.0.0 /19 (more apologies)

Can I NAT that 167.2.0.0 /19 to the Outside without issue?

Thanks for your assistance!

Jim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 05/19/2009 - 08:25

Jim

Yes no problem. I'm assuming you mean hide all the 167.2.0.0/19 addresses behind 23.2.2.2 ?

If so

nat (inside) 1 167.2.0.0 255.255.224.0

global (outside) 1 interface

If i have misunderstood let me know.

Jon

jim_berlow Tue, 05/19/2009 - 08:38

Thanks, Jon - that is part of it.

How about if we have public servers on an IP address example 167.2.1.1 (SMTP)? Can I simply create a statement like this and will this work? This host is currently assigned the public IP 167.2.1.1 right on its tcp/ip stack and it will now be assigned a private address like 10.1.226.223 (assume I have done all the routing inside correctly, etc).

static (Inside,Outside) tcp 167.2.1.1 25 10.1.226.223 25 netmask 255.255.255.255

Thanks for your help,

Jim

Jon Marshall Tue, 05/19/2009 - 08:41

Jim

As long as any requests for 167.2.1.1 are routed to the outside interface of your ASA from the Internet then yes you should be fine.

Jon

Actions

This Discussion