ASA 5520 NAT Possibilities

Unanswered Question
Oct 4th, 2010


The goal is to replace a pair of Linux firewalls with a pair of ASA5520's. The problem is the way that the ISP hands us our connection. They handoff the connection using a private subnet (172.16.x.x). The Linux firewall then sends any packets destined to the servers using public IP addresses that the ISP supplies. It is like a reverse firewall in the sense that the "inside" interface is configured with a Public IP address and the "outside" interface is configured with a private IP address. The ISP routers know to forward the public IP's via their private subnet. A straight swap should work but it is the NAT that is the issue. NAT is tking place behind the firewalls via Load balancers. curently the ASA is running in parralel and is providing NAT to a few servers. If I were to replace the Linux boxes with the ASA's, I don;t think the current NAT setup will work. I would need to NAT  private address (10.x.x.x) to it's public address (217.x.x.x) via the ISP's subnet (172.16.x.x). Is this possible?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Mon, 10/04/2010 - 03:17

yeah we can do that

do u want one to one or many to one

if you have one to one use this syntax

static (inside,outside)

danrya Mon, 10/04/2010 - 06:47

With the ASA, it doesn't matter what the "outside" address is.  You can NAT to any address that the ISP can route to you.  The easiest configuration would be something like this:

nat 1 (inside)

global (outside) 1

You can also make is more restrictive by picking subnets to nat to IP's, for example:

nat 1 (inside)

nat 1 (inside)

nat 2 (inside)

global (outside) 1

global (outside) 2 -

The NAT command identifies the interface and addresses of the "private" ip addressed.  The Global command identifies the "public" interface and IP address that will be used as the "source address" of the packet.  The number after each is used to "tie" them together.  In my example, nat 1 and global 1 and nat 2 and global 2.

You can use this with "static NAT" also, as the other user pointed out.  Take a look at the configuration guide for other examples:

Let me know how this works out for you.


ANDY LEWIS Mon, 10/04/2010 - 06:59

I will give it a try. I have never configured a firewall with a public inside address and

private outside address. It is counterintuitive. The problem is that this is a production environment and I need to minimalize downtime. What about terminating the site-to-sites? Can that be done on an intrerface other than the external?

danrya Mon, 10/04/2010 - 07:31

I've never tried to terminate a VPN tunnel on the inside interface.  But, I have created a VPN tunnel to the outside interface from a computer on the inside.  So, I'm "guessing" that if you configure the VPN tunnel using the inside interface, it should work through the outside.

Not something that I would recommend trying in a production network, but if that's all you've got there might not be another option.

Hopefully someone thats tried that before can tell you more details.  If I had an ASA handy I'd give it a shot.


Jitendriya Athavale Mon, 10/04/2010 - 07:57

yes you can terminate vpn, there shouldnt be anything stopping you, basically you can do almost everything on all security zone but you will have modify rules accordingly

also with respect to nat for patting rules you might need the keyword outside


This Discussion