Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best Practice many to many NAT

I ahve a ASA 5510. We have a vendor that is requiring us to NAT 50 internal IPs to 50 of their IPs. We did static 1 to 1 NAT for a couple of these and yes it works....but 50 static 1 to 1 NAT statements...is there a better way. We can only change the config on our side they will not change anything on their side...please some advice.

9 REPLIES
New Member

Re: Best Practice many to many NAT

You can still use static NAT but this time include the network instead of 1:1 IP address

static (real_ip,mapped_ip) real_ip mapped_ip netmask mask

static (inside,outside) 192.168.10.0 67.148.xx.xx netmask 255.255.255.0

New Member

Re: Best Practice many to many NAT

Thanks

But we have 50 different IPs no all same subnet that will natted be mapped to 50 different IPs on same subnet

New Member

Re: Best Practice many to many NAT

As far as I know, you have to do the individual entries.

Never Mind^

Re: Best Practice many to many NAT

I don't currently have an ASA in the lab to test, but you should be able to do something like this-

global (vendor) 30 10.1.1.1-10.1.1.1.50 netmask 255.255.255.0

nat (inside) 30 access-list VENDOR

access-list VENDOR standard permit host 192.168.1.10

access-list VENDOR standard permit host 192.168.1.11

etc...

The 10.1.1.x addresses is the vendor IP's you need to translate to and the 192.168.1.x would be your internal IP's.

New Member

Re: Best Practice many to many NAT

Thanks for the reply but let me be more specific....ie

192.168.10.1 NAT 10.100.100.1

192.168.26.5 NAT 10.100.100.2

so our inside IPS are all different and so are theres

but if I NAT them they will not see our inside IP correct?

Re: Best Practice many to many NAT

Correct. The ACL will list your internal IP's that should be mapped to the vendors IPs. The global NAT pool will assign an IP when one of the users from the ACL goes out the vendor interface. Your ACL would look like this-

access-list VENDOR standard permit host 192.168.10.1

access-list VENDOR standard permit host 192.168.26.5

The global would be-

global (vendor) 30 10.100.100.1-10.100.100.50 netmask 255.255.255.0

New Member

Re: Best Practice many to many NAT

Thanks

But we have 50 different IPs no all same subnet that will natted be mapped to 50 different IPs on same subnet IE

xxx.aaa.21.102 10.222.xxx.193

xxx.aaa.37.100 10.222.xxx.194

xxx.aaa.21.101 10.222.xxx.195

xxx.aaa.16.92 10.222.xxx.196

xxx.aaa.18.100 10.222.xxx.197

Re: Best Practice many to many NAT

Doesn't matter if they are contiguous or not.

New Member

Re: Best Practice many to many NAT

"if I NAT them they will not see our inside IP correct?"

Correct.

If your inside IPs are all different and they don't follow a pattern, at least some blocks, your only option is to do one by one.

1598
Views
0
Helpful
9
Replies