I ahve a ASA 5510. We have a vendor that is requiring us to NAT 50 internal IPs to 50 of their IPs. We did static 1 to 1 NAT for a couple of these and yes it works....but 50 static 1 to 1 NAT statements...is there a better way. We can only change the config on our side they will not change anything on their side...please some advice.
You can still use static NAT but this time include the network instead of 1:1 IP address
static (real_ip,mapped_ip) real_ip mapped_ip netmask mask
static (inside,outside) 192.168.10.0 67.148.xx.xx netmask 255.255.255.0
I don't currently have an ASA in the lab to test, but you should be able to do something like this-
global (vendor) 30 10.1.1.1-10.1.1.1.50 netmask 255.255.255.0
nat (inside) 30 access-list VENDOR
access-list VENDOR standard permit host 192.168.1.10
access-list VENDOR standard permit host 192.168.1.11
The 10.1.1.x addresses is the vendor IP's you need to translate to and the 192.168.1.x would be your internal IP's.
Thanks for the reply but let me be more specific....ie
192.168.10.1 NAT 10.100.100.1
192.168.26.5 NAT 10.100.100.2
so our inside IPS are all different and so are theres
but if I NAT them they will not see our inside IP correct?
Correct. The ACL will list your internal IP's that should be mapped to the vendors IPs. The global NAT pool will assign an IP when one of the users from the ACL goes out the vendor interface. Your ACL would look like this-
access-list VENDOR standard permit host 192.168.10.1
access-list VENDOR standard permit host 192.168.26.5
The global would be-
global (vendor) 30 10.100.100.1-10.100.100.50 netmask 255.255.255.0
But we have 50 different IPs no all same subnet that will natted be mapped to 50 different IPs on same subnet IE
"if I NAT them they will not see our inside IP correct?"
If your inside IPs are all different and they don't follow a pattern, at least some blocks, your only option is to do one by one.