Translation Assistance (NAT)

fedecotofaja · ‎07-23-2009

Hi All,

I have a simple question.

Can I NAT in the ASA to an address that does not belong to the ASA itself?

In other words...

I have used NAT many times to translate the inside LANs to an address of the outside range of the ASA (but when the IP address assigned to the OUTSIDE interface belongs to this range)...

In this case, I need to translate the inside LAN to a public IP address, but both the inside & outside of the ASA are private IP addresses.

I cannot NAT on the directly connected device to the internet, so I was wondering if I can NAT on the ASA (eventhough the public IP address does not belong to the ASA), and create a route to point to the ASA....

Does it make sense?

Can somebody help me please?

Thank you!

Federico.

Roman Rodichev · ‎07-23-2009

sure this is possible

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 5.5.5.5

route 5.5.5.5/32 on the outside router to the outside IP of the ASA 192.168.0.1

Regards,

Roman

fedecotofaja · ‎07-24-2009

Ok, but I don't understand how does it works...

For example:

If I do what you describe, I have to tell the External Router that the IP 5.5.5.5 is on the interface facing the ASA. But that same router is going to have that IP on it's interface facing the Internet...

Would'nt that create a problem? (a routing problem)?

Please clarify...

Thank you!

Federico.

Roman Rodichev · ‎07-24-2009

your ISP WAN connection is usually a /30 subnet, and ISP usually assigns you another /29 or /28 IP subnet which you then route to the ASA.

If all you have is your /30, then you'll need to do NAT on the router, route private subnet to the ASA, and do no NAT on ASA ("nat-control" is by default disabled)

Let me know if it's still not clear.

Regards,

Roman

fedecotofaja · ‎07-24-2009

I have it clear now thank you.

I have only a /30 which I have on the router, so I must NAT on the router.

Thank you.