cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
893
Views
8
Helpful
7
Replies

firewall nat

suthomas1
Level 6
Level 6

this ASA has existing basic nat rule ,

     global (Internet-facing) 1 interface

     nat (local) 1 0.0.0.0 0.0.0.0

Public interface ip is 210.19.56.71

now, if we want to have different nat for only a single user using a different public IP. how can this be done , so it also doesnt affect other users.

eg, this single user has 192.168.100.10 IP and other public ip is 210.19.56.73.

will it work alongwith existing rule, if it is configured following way-

       global (Internet-facing) 4 interface

       nat (local) 4 192.168.100.10 255.255.255.255

Please help.Thanks in advance!

1 Accepted Solution

Accepted Solutions

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

View solution in original post

7 Replies 7

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Yes, you can use a different global pool and a different IP for that.

global (Internet-facing) 4 210.19.56.73

nat (local) 4 192.168.100.10 255.255.255.255

This will ensure that host 192.168.100.10 will use .73 address when going to

internet.

Hope this helps.

Regards,

NT

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, it will work, however, please be advised that it is only for outbound connection. If you need both, then you would need to configure static NAT statement:

static (local,Internet-facing) 210.19.56.73 192.168.100.10 netmask 255.255.255.255

And the global statement should be as follows if you want to configure nat/global pair:

global (Internet-facing) 4  210.19.56.73

Hope that helps.

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello Halijenn,

I think when it comes to dynamic NAT, the best match is considered not the

order.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgna

t.html#wp1042696

Regards,

NT

NT is correct.

NAT ORDER OF OPERATIONS


The rules are tried in order.

    1) nat 0 access-list (nat-exempt)
    2) match against existing xlates
    3) static
       a) static nat with and without access-list (first match)
       b) static pat with and without access-list (first match)
    4) nat
       a) nat access-list (first match)
       Note: nat 0 access-list is not part of this command.
       b) nat
(best match)
       Note:  When choosing a global address from multiple pools with
            the same nat id, the following order is tried
            i) if the id is 0, create an identity xlate.
            ii) use the global pool for dynamic NAT
            iii) use the global pool for dynamic PAT
    5) Error

-KS

Thanks Kusankar, NT.

I've updated my previous post.

does that mean if : global (Internet-facing) 1 interface & nat (local) 1 0.0.0.0 0.0.0.0 is before global (Internet-facing) 4 interface &  nat (local) 4 192.168.100.10 255.255.255.255 ; the host 192.168.100.10 might use nat1 instead of nat4 based on order.

if so, will i have to reverse the order? & how to arrange in that sequence if nat 1 already exists.

please correct if this is wrong.

thanks

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: