NAT Question

Unanswered Question
May 19th, 2009
User Badges:
  • Bronze, 100 points or more

I have a general NAT question I hope you can help us with. We are converting from a large public ip address block (no NAT whatsoever) into a private address space using a combination of NAT / PAT, etc.


I think the ASA can do this without issue (version 8.04), but want to verify. On the Outside interface I have a completely different subnet than the public space I have inside. (Basically a /30 on the outside to the provider and a large /19 on the inside). Now, can I NAT this /19 to the Outside interface even though is is on a different subnet than the /30 assigned to the Outside?


Example (ip's changed to preserve the innocent):


Outside IP = 23.2.2.2 /30 (apologies to whoever owns this space)


Inside IP = 167.2.0.0 /19 (more apologies)


Can I NAT that 167.2.0.0 /19 to the Outside without issue?


Thanks for your assistance!


Jim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 05/19/2009 - 08:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Yes no problem. I'm assuming you mean hide all the 167.2.0.0/19 addresses behind 23.2.2.2 ?


If so


nat (inside) 1 167.2.0.0 255.255.224.0

global (outside) 1 interface


If i have misunderstood let me know.


Jon

jim_berlow Tue, 05/19/2009 - 08:38
User Badges:
  • Bronze, 100 points or more

Thanks, Jon - that is part of it.


How about if we have public servers on an IP address example 167.2.1.1 (SMTP)? Can I simply create a statement like this and will this work? This host is currently assigned the public IP 167.2.1.1 right on its tcp/ip stack and it will now be assigned a private address like 10.1.226.223 (assume I have done all the routing inside correctly, etc).


static (Inside,Outside) tcp 167.2.1.1 25 10.1.226.223 25 netmask 255.255.255.255


Thanks for your help,

Jim

Jon Marshall Tue, 05/19/2009 - 08:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


As long as any requests for 167.2.1.1 are routed to the outside interface of your ASA from the Internet then yes you should be fine.


Jon

jim_berlow Tue, 05/19/2009 - 08:45
User Badges:
  • Bronze, 100 points or more

Thanks, Jon. That is exactly what I wanted to verify.

Actions

This Discussion