ASA NAT question

Unanswered Question
May 5th, 2010
User Badges:

Dear all

I have a ip valid range from my isp

I want to nat my inside users to ip vaid range with dynamic NAT

my outside asa interface has one of these ip valids to see outside world

but the other ip in my range do not belong to any devices..

how is it possible that my clients nat to my all ip range

also i have a web server in my dmz

i want also make a static but i do not know how can i bind an valid ip into non valid ip

i mean i do not know whre this valid ip must be set!!

thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 05/05/2010 - 09:52
User Badges:
  • Green, 3000 points or more


Please post the output from:

sh run nat

sh run global

sh run static

And let us know which are the real IPs that you want to NAT to which mapped IPs.


astripat Wed, 05/05/2010 - 12:41
User Badges:


Lets say that the ISP has provided the following range:

And, is assigned to the outside interface. Also, is the dmz web server which you want to publish to the outside world.

You can do the following:

nat (inside) 1 0 0

global (outside) 1 interface

static (dmz,outside)

access-list outside_access_in permit tcp any host eq 80

access-group outside_access_in in interface outside



iliafirewall Thu, 05/06/2010 - 03:53
User Badges:


I think there is miss understanding

the problem is that i have a valid range from my ISP

i want make a nat from my inside network to whole range

but the problem is only one ip from that range is assigned to my outside interface and rest od IP are not assign to any machine or any device

how can make a dynamic nat to this range according that no device or machine assigned to these IP addressess.

by the way my ASA verssion is 8.3.1


peter.kersting Thu, 05/06/2010 - 09:14
User Badges:

Hi Hani

If my understanding of the question is correct you want to NAT inside hosts to public IPs in the range assigned to you
by your ISP?

If so you can do it like this:

global (outside) 1

nat (inside) 1 0 0

If you have more inside clients than public IPs, probably best to aslo include a fallback to PAT using the outside interface address:

global (outside) 1 interface


hanimolani Fri, 05/07/2010 - 03:27
User Badges:

Dear pete

My problem is where the range IP address must be set?

because these ip valid range address do not belong any thing into my network


Jennifer Halim Fri, 05/07/2010 - 03:32
User Badges:
  • Cisco Employee,

If you would like to use that new IP range for dynamic NAT for your internal users, then you would configure it on the "global (outside)" statement.

Just have to make sure that the router in front of your ASA (connected to the outside interface of the ASA), is routing the new IP range towards the ASA outside interface.


This Discussion