Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

10.x.x.x as outside address

Unanswered Question
Oct 21st, 2013
User Badges:

        We are changing ISPs and the Class C  public subnet used for NATing and the outside of our ASA will no longer be used (by us).  We actually have 3 Class C subnets for Internet traffic.  There is  an appliance used as the gateway of ASA's outside interface that does the final NATing according to a policy we create.   Now the question,  since I am going to be changing the NAT statements and outside interface of our ASA, would it cause any problems to use a 10.x.x.x Class C  for these changes?   This way if  (when) we change ISPs again,  I do not have to change the ASA only the policy on the outside appliance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jouni Forss Mon, 10/21/2013 - 14:13
User Badges:
  • Super Bronze, 10000 points or more


So your are asking if you could use some subnet from the network as the link network between your ASAs new WAN interface and the interface of the Router (or other device) in front of the ASA?

I don't think this should be a problem though I would personally prefer always for the ASA to have the public IP addresses directly. The NAT setup should be pretty simple after this on the ASA. I guess depending on if you had VPNs involved before this change they would have a bit different operation as the ASA would now be a device behind a NAT then again you probably wouldnt be using Dynamic PAT for the external IP address of the ASA on the Router in front of it anyway.

- Jouni

Marius Gunnerud Tue, 10/22/2013 - 05:35
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

If you are the administrator of the device connected to the ASA's outside interface then you can configure the ASA to NAT how you want it to and then later on just change the configuration on the outside device to again NAT the addresses that the ASA has NATed to.  It is a messy setup and as Jouni has mentioned it would be best to just have the public IP on the ASA.

On the other hand if you are not the administrator of that outside device, your future configurations will greatly depend on the ISP and how flexible they can be to meet your addressing needs.


This Discussion