firewall nat

Answered Question
Sep 8th, 2010

this ASA has existing basic nat rule ,

     global (Internet-facing) 1 interface

     nat (local) 1 0.0.0.0 0.0.0.0

Public interface ip is 210.19.56.71

now, if we want to have different nat for only a single user using a different public IP. how can this be done , so it also doesnt affect other users.

eg, this single user has 192.168.100.10 IP and other public ip is 210.19.56.73.

will it work alongwith existing rule, if it is configured following way-

       global (Internet-facing) 4 interface

       nat (local) 4 192.168.100.10 255.255.255.255

Please help.Thanks in advance!

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 2 months ago

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (4 ratings)
Loading.
Nagaraja Thanthry Wed, 09/08/2010 - 18:28

Hello,

Yes, you can use a different global pool and a different IP for that.

global (Internet-facing) 4 210.19.56.73

nat (local) 4 192.168.100.10 255.255.255.255

This will ensure that host 192.168.100.10 will use .73 address when going to

internet.

Hope this helps.

Regards,

NT

Kureli Sankar Wed, 09/08/2010 - 18:39

NT is correct.

NAT ORDER OF OPERATIONS


The rules are tried in order.

    1) nat 0 access-list (nat-exempt)
    2) match against existing xlates
    3) static
       a) static nat with and without access-list (first match)
       b) static pat with and without access-list (first match)
    4) nat
       a) nat access-list (first match)
       Note: nat 0 access-list is not part of this command.
       b) nat (best match)
       Note:  When choosing a global address from multiple pools with
            the same nat id, the following order is tried
            i) if the id is 0, create an identity xlate.
            ii) use the global pool for dynamic NAT
            iii) use the global pool for dynamic PAT
    5) Error

-KS
suthomas1 Wed, 09/08/2010 - 19:03

does that mean if : global (Internet-facing) 1 interface & nat (local) 1 0.0.0.0 0.0.0.0 is before global (Internet-facing) 4 interface &  nat (local) 4 192.168.100.10 255.255.255.255 ; the host 192.168.100.10 might use nat1 instead of nat4 based on order.

if so, will i have to reverse the order? & how to arrange in that sequence if nat 1 already exists.

please correct if this is wrong.

thanks

Correct Answer
Nagaraja Thanthry Wed, 09/08/2010 - 19:06

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

Jennifer Halim Wed, 09/08/2010 - 18:31

Yes, it will work, however, please be advised that it is only for outbound connection. If you need both, then you would need to configure static NAT statement:

static (local,Internet-facing) 210.19.56.73 192.168.100.10 netmask 255.255.255.255

And the global statement should be as follows if you want to configure nat/global pair:

global (Internet-facing) 4  210.19.56.73

Hope that helps.

Actions

This Discussion