07-13-2010 05:39 PM - edited 03-11-2019 11:11 AM
My ASA has an existing overloaded nat in place for all the connections going out.
like nat ( inside ) 1 0.0.0.0 0.0.0.0
i need to configure a seperate nat for outgoing translation with a set of ip's.
local ip's are 192.168.100.1 to 192.168.100.3 & it is to be natted with 202.88.116.27. Please help on how to configure this for use by these ip's only.
thanks in advance.
Solved! Go to Solution.
07-13-2010 07:40 PM
Hello,
If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.
Hope this helps.
Regards,
NT
07-13-2010 05:50 PM
Hello,
You can specify another NAT pool and specify specific source addresses that will be using that pool. In dynamic NAT, the firewall uses specific translation first before using the generic pool.
Global (outside) 2 202.88.116.27
Nat (inside) 2 192.168.100.0 255.255.255.252
Above configuration enables all the hosts between 192.168.100.0 to 100.3 to use the 202.88.116.27 address (since 100.0 is the network address, you will not see any traffic from that address).
Hope this helps.
Regards,
NT
07-13-2010 06:06 PM
thanks for your reply. wouldnt i need to deny this pool being used by other internal ip's for nat.
07-13-2010 06:13 PM
Hello,
Once the firewall picks one pool, it will not look for the second pool. The firewall always picks the longest (best) match for every source address (sometimes it will also check the destination address if you have configured policy nat). So, you do not need to explicitly deny an address from using a pool.
Hope this helps.
Regards,
NT
07-13-2010 07:30 PM
ok, my intention is to ensure that this second global IP is not being used by other ip's except for 192.168.100.1 to 192.168.100.3.
nat ( inside ) 1 0.0.0.0 0.0.0.0 - this nat is using another global ip address for general overload. I want to ensure ip's from this range doesnt try to use
the second global ip for nat.
Would it be possible without any additional config.
Thanks in advance.
07-13-2010 07:40 PM
Hello,
If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide