nat configuration

Answered Question
Jul 13th, 2010
User Badges:

My ASA has an existing overloaded nat in place for all the connections going out.
like nat ( inside ) 1 0.0.0.0 0.0.0.0
i need to configure a seperate nat for outgoing translation with a set of ip's.
local ip's are 192.168.100.1 to 192.168.100.3 & it is to be natted with 202.88.116.27. Please help on how to configure this for use by these ip's only.



thanks in advance.

Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Nagaraja Thanthry Tue, 07/13/2010 - 17:50
User Badges:
  • Cisco Employee,

Hello,


You can specify another NAT pool and specify specific source addresses that will be using that pool. In dynamic NAT, the firewall uses specific translation first before using the generic pool.


Global (outside) 2 202.88.116.27


Nat (inside) 2 192.168.100.0 255.255.255.252



Above configuration enables all the hosts between 192.168.100.0 to 100.3 to use the 202.88.116.27 address (since 100.0 is the network address, you will not see any traffic from that address).


Hope this helps.


Regards,


NT

suthomas1 Tue, 07/13/2010 - 18:06
User Badges:

thanks for your reply. wouldnt i need to deny this pool being used by other internal ip's for nat.

Nagaraja Thanthry Tue, 07/13/2010 - 18:13
User Badges:
  • Cisco Employee,

Hello,


Once the firewall picks one pool, it will not look for the second pool. The firewall always picks the longest (best) match for every source address (sometimes it will also check the destination address if you have configured policy nat). So, you do not need to explicitly deny an address from using a pool.


Hope this helps.


Regards,


NT

suthomas1 Tue, 07/13/2010 - 19:30
User Badges:

ok, my intention is to ensure that this second global IP is not being used  by other ip's except for 192.168.100.1 to 192.168.100.3.


nat ( inside ) 1 0.0.0.0 0.0.0.0 - this nat is using another global ip address for general overload. I want to ensure ip's from this range doesnt try to use

the second global ip for nat.


Would it be possible without any additional config.


Thanks in advance.

Correct Answer
Nagaraja Thanthry Tue, 07/13/2010 - 19:40
User Badges:
  • Cisco Employee,

Hello,


If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.


Hope this helps.


Regards,


NT

Actions

This Discussion