Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
6
Replies

Can Private (NAT) and Public IP manage in the same interface of ASA?

Machi Ma
Level 1
Level 1

‎11-11-2014 09:54 PM - edited ‎03-11-2019 10:03 PM

Hello,

I have planning the deploy ASA while it have problem that there are parts of user with private IPs require NAT to Internet.  And some of them using public IPs will directly assign to user. 

 

I would like to check is it possbile they managed with single interface?

 

or I need to deploy it into 2 interface? one for NAT and another will handle to WAN IP user?

 

Thanks!

Labels:
0 Helpful
6 Replies 6

Prashant Joshi
Cisco Employee
Cisco Employee

‎11-11-2014 10:39 PM

Yes, they can be managed using single WAN  interface..

 

Example  ASA  interface IP 1.1.1.1 can be used for PAT      and extra IP's 1.1.1.2 and 1.1.1.3 used for  one to one NAT.

 

Thanks,

Prashant Joshi

 

 

0 Helpful

Machi Ma
Level 1
Level 1
In response to Prashant Joshi

‎11-12-2014 12:31 AM

Hello,

 

Thanks for your comment.  Yes, old version of ASA or other band of firewall could able to procedure secondary interfaces as a gateway.  (It may require to open another topic later on as I have many different subnets with different VLAN)

 

There should be more clear talking about network setup.

 

Three group of IP range:

a. WAN IP - used as a gateway to router

b. Production WAN IPs range - Used to assign user or server

c. private IP range - internal user

 

Requirement: 

Internal User with Private IP range require to access Internet.  But no need to map 1-to-1 NAT and external Internet will not able to direct access private LAN

 

Question:

Now is should require 3 interfaces? 1 for WAN, 1 as a DMZ  and 1 for INSIDE?

 

Thanks!

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎11-12-2014 02:16 AM

Hi,

This should be possible by creating the interfaces on the ASA device and configuring the Interface PAT on the ASA device for the two internal Private Sub net for the internet access.

Now , that depends on which version you are on.

For ASA 8.2 and below:-

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

For ASA 8.3 +:-

object network obj-0.0.0.0

subnet 0 0

nat (inside,outside) dynamic interface

object network obj-0.0.0.0-1

subnet 0 0

nat (dmz,outside) dynamic interface


Let me know if you have any other queries.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎11-12-2014 09:12 PM

Hi,

Thanks and I think PAT should be workable for me.

 

But I have range of IP which using Internet IP which no need network translate.  Still can be work into same interface?

 

Thanks!

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎11-12-2014 09:17 PM

Hi,

Yes , you can use Exempt NAT for those IP:-

For ex:-

object network obj-x.x.x.x

subnet x.x.x.x x.x.x.x

nat (inside,outside) source static obj-x.x.x.x obj-x.x.x.x

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎11-11-2014 11:12 PM

Hi,

 

So you are saying that you would have LAN users in both private and public subnets? Have you previously used a Router as those subnets gateway or what is the situation?

 

A Cisco Router could handle "secondary" address on its interface while the ASA can not. In some older versions it was possible to configure the ASA so that it could act as a gateway for different subnets on a single interface but as its not possible anymore its not really an option to use older software ASA just for this purpose.

 

So as I said, if the situation is that you have 2 LAN subnets (private and public) you would either have to have their gateways configured on an actual router or have them in separate ASA interfaces.

 

Though you did not mention is the public subnet meant for the users the only public subnet allocated to you or do you have another public subnet on the WAN edge of the ASA? If you do not have any other public subnet then you would have to further subnet the existing subnet that would enable you to split one part of the public address space to the actual users and one to the WAN interface of the ASA. And since in that case the next hop device from ASA would most likely be an ISP device you would also have to work with them to make sure that they use the same subnet between them and your ASA and also route the other (split) subnet towards your ASA WAN interface IP address so that connections for the LAN users in public subnet would also work.

 

With regards the ASA NAT configurations the most important thing in new software levels (8.3+) is that you make sure that there is no NAT configurations that would perform NAT for the public subnet so they can connect to the Internet directly with their actual configured IP addresses.

 

Let me know if I understood something wrong.

 

Hope this helps :)

 

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card