Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

10.x.x.x as outside address

        We are changing ISPs and the Class C  public subnet used for NATing and the outside of our ASA will no longer be used (by us).  We actually have 3 Class C subnets for Internet traffic.  There is  an appliance used as the gateway of ASA's outside interface that does the final NATing according to a policy we create.   Now the question,  since I am going to be changing the NAT statements and outside interface of our ASA, would it cause any problems to use a 10.x.x.x Class C  for these changes?   This way if  (when) we change ISPs again,  I do not have to change the ASA only the policy on the outside appliance.

2 REPLIES
Super Bronze

10.x.x.x as outside address

Hi,

So your are asking if you could use some subnet from the 10.0.0.0/8 network as the link network between your ASAs new WAN interface and the interface of the Router (or other device) in front of the ASA?

I don't think this should be a problem though I would personally prefer always for the ASA to have the public IP addresses directly. The NAT setup should be pretty simple after this on the ASA. I guess depending on if you had VPNs involved before this change they would have a bit different operation as the ASA would now be a device behind a NAT then again you probably wouldnt be using Dynamic PAT for the external IP address of the ASA on the Router in front of it anyway.

- Jouni

10.x.x.x as outside address

If you are the administrator of the device connected to the ASA's outside interface then you can configure the ASA to NAT how you want it to and then later on just change the configuration on the outside device to again NAT the addresses that the ASA has NATed to.  It is a messy setup and as Jouni has mentioned it would be best to just have the public IP on the ASA.

On the other hand if you are not the administrator of that outside device, your future configurations will greatly depend on the ISP and how flexible they can be to meet your addressing needs.

--

Please remember to rate and select a correct answer
745
Views
0
Helpful
2
Replies
CreatePlease to create content