Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
3
Helpful
5
Replies

nat configuration

Go to solution
suthomas1
Level 6
Level 6

‎07-13-2010 05:39 PM - edited ‎03-11-2019 11:11 AM

My ASA has an existing overloaded nat in place for all the connections going out.
like nat ( inside ) 1 0.0.0.0 0.0.0.0
i need to configure a seperate nat for outgoing translation with a set of ip's.
local ip's are 192.168.100.1 to 192.168.100.3 & it is to be natted with 202.88.116.27. Please help on how to configure this for use by these ip's only.

thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to suthomas1

‎07-13-2010 07:40 PM

Hello,

If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-13-2010 05:50 PM

Hello,

You can specify another NAT pool and specify specific source addresses that will be using that pool. In dynamic NAT, the firewall uses specific translation first before using the generic pool.

Global (outside) 2 202.88.116.27

Nat (inside) 2 192.168.100.0 255.255.255.252

Above configuration enables all the hosts between 192.168.100.0 to 100.3 to use the 202.88.116.27 address (since 100.0 is the network address, you will not see any traffic from that address).

Hope this helps.

Regards,

NT

Go to solution
suthomas1
Level 6
Level 6
In response to Nagaraja Thanthry

‎07-13-2010 06:06 PM

thanks for your reply. wouldnt i need to deny this pool being used by other internal ip's for nat.

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to suthomas1

‎07-13-2010 06:13 PM

Hello,

Once the firewall picks one pool, it will not look for the second pool. The firewall always picks the longest (best) match for every source address (sometimes it will also check the destination address if you have configured policy nat). So, you do not need to explicitly deny an address from using a pool.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Nagaraja Thanthry

‎07-13-2010 07:30 PM

ok, my intention is to ensure that this second global IP is not being used  by other ip's except for 192.168.100.1 to 192.168.100.3.

nat ( inside ) 1 0.0.0.0 0.0.0.0 - this nat is using another global ip address for general overload. I want to ensure ip's from this range doesnt try to use

the second global ip for nat.


Would it be possible without any additional config.

Thanks in advance.

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to suthomas1

‎07-13-2010 07:40 PM

Hello,

If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card