NAT from private IP address

Answered Question
Mar 29th, 2010

We have an ASA 5550.  How do you write a NAT statement from the inside private IP 192.168.100.1(server) to a public IP address?

Thanks.

Diane

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

dianewalker wrote:

Thanks for your prompt response, Jon.

Another question: Instead of NATTING each individual private IP address to each individual public IP address, can you also NATTING the entire subnet?  For example, can you do this?

static (inside,outside) 192.168.100.0 netmask 255.255.255.0

Also, would you recommend natting each individual IP address or the entire subnet?

Thanks.

Diane

Diane

Apologies, i missed your response.

No your static wouldn't work because with static NAT as above you need a one to one mapping so with your static above the firewall would have no way of knowing which 192.168.100.x address to map to the public IP.

You could do this -

static (inside,outside) 192.168.100.0 netmask 255.255.255.0

where the public IP subnet has a subnet mask of 255.255.255.

For static NAT i would recommend only Natting the IPs you have to for security purposes as much as anything else.

Jon

Correct Answer by Jon Marshall about 6 years 8 months ago

dianewalker wrote:

We have an ASA 5550.  How do you write a NAT statement from the inside private IP 192.168.100.1(server) to a public IP address?

Thanks.

Diane

Diane

static (inside,outside) 192.168.100.1 netmask 255.255.255.255

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 03/29/2010 - 08:13

dianewalker wrote:

We have an ASA 5550.  How do you write a NAT statement from the inside private IP 192.168.100.1(server) to a public IP address?

Thanks.

Diane

Diane

static (inside,outside) 192.168.100.1 netmask 255.255.255.255

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

dianewalker Mon, 03/29/2010 - 09:22

Thanks for your prompt response, Jon.

Another question: Instead of NATTING each individual private IP address to each individual public IP address, can you also NATTING the entire subnet?  For example, can you do this?

static (inside,outside) 192.168.100.0 netmask 255.255.255.0

Also, would you recommend natting each individual IP address or the entire subnet?

Thanks.

Diane

Correct Answer
Jon Marshall Mon, 03/29/2010 - 14:36

dianewalker wrote:

Thanks for your prompt response, Jon.

Another question: Instead of NATTING each individual private IP address to each individual public IP address, can you also NATTING the entire subnet?  For example, can you do this?

static (inside,outside) 192.168.100.0 netmask 255.255.255.0

Also, would you recommend natting each individual IP address or the entire subnet?

Thanks.

Diane

Diane

Apologies, i missed your response.

No your static wouldn't work because with static NAT as above you need a one to one mapping so with your static above the firewall would have no way of knowing which 192.168.100.x address to map to the public IP.

You could do this -

static (inside,outside) 192.168.100.0 netmask 255.255.255.0

where the public IP subnet has a subnet mask of 255.255.255.

For static NAT i would recommend only Natting the IPs you have to for security purposes as much as anything else.

Jon

Actions

This Discussion