Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can Private (NAT) and Public IP manage in the same interface of ASA?

Hello,

I have planning the deploy ASA while it have problem that there are parts of user with private IPs require NAT to Internet.  And some of them using public IPs will directly assign to user. 

 

I would like to check is it possbile they managed with single interface?

 

or I need to deploy it into 2 interface? one for NAT and another will handle to WAN IP user?

 

Thanks!

6 REPLIES
Cisco Employee

Yes, they can be managed

Yes, they can be managed using single WAN  interface..

 

Example  ASA  interface IP 1.1.1.1 can be used for PAT      and extra IP's 1.1.1.2 and 1.1.1.3 used for  one to one NAT.

 

Thanks,

Prashant Joshi

 

 

New Member

Hello, Thanks for your

Hello,

 

Thanks for your comment.  Yes, old version of ASA or other band of firewall could able to procedure secondary interfaces as a gateway.  (It may require to open another topic later on as I have many different subnets with different VLAN)

 

There should be more clear talking about network setup.

 

Three group of IP range:

a. WAN IP - used as a gateway to router

b. Production WAN IPs range - Used to assign user or server

c. private IP range - internal user

 

Requirement: 

Internal User with Private IP range require to access Internet.  But no need to map 1-to-1 NAT and external Internet will not able to direct access private LAN

 

Question:

Now is should require 3 interfaces? 1 for WAN, 1 as a DMZ  and 1 for INSIDE?

 

Thanks!

 

Cisco Employee

Hi,This should be possible by

Hi,

This should be possible by creating the interfaces on the ASA device and configuring the Interface PAT on the ASA device for the two internal Private Sub net for the internet access.

Now , that depends on which version you are on.

For ASA 8.2 and below:-

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

For ASA 8.3 +:-

object network obj-0.0.0.0

subnet 0 0

nat (inside,outside) dynamic interface

object network obj-0.0.0.0-1

subnet 0 0

nat (dmz,outside) dynamic interface


Let me know if you have any other queries.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,Thanks and I think PAT

Hi,

Thanks and I think PAT should be workable for me.

 

But I have range of IP which using Internet IP which no need network translate.  Still can be work into same interface?

 

Thanks!

Cisco Employee

Hi,Yes , you can use Exempt

Hi,

Yes , you can use Exempt NAT for those IP:-

For ex:-

object network obj-x.x.x.x

subnet x.x.x.x x.x.x.x

nat (inside,outside) source static obj-x.x.x.x obj-x.x.x.x

Thanks and Regards,

Vibhor Amrodia

Super Bronze

Hi, So you are saying that

Hi,

 

So you are saying that you would have LAN users in both private and public subnets? Have you previously used a Router as those subnets gateway or what is the situation?

 

A Cisco Router could handle "secondary" address on its interface while the ASA can not. In some older versions it was possible to configure the ASA so that it could act as a gateway for different subnets on a single interface but as its not possible anymore its not really an option to use older software ASA just for this purpose.

 

So as I said, if the situation is that you have 2 LAN subnets (private and public) you would either have to have their gateways configured on an actual router or have them in separate ASA interfaces.

 

Though you did not mention is the public subnet meant for the users the only public subnet allocated to you or do you have another public subnet on the WAN edge of the ASA? If you do not have any other public subnet then you would have to further subnet the existing subnet that would enable you to split one part of the public address space to the actual users and one to the WAN interface of the ASA. And since in that case the next hop device from ASA would most likely be an ISP device you would also have to work with them to make sure that they use the same subnet between them and your ASA and also route the other (split) subnet towards your ASA WAN interface IP address so that connections for the LAN users in public subnet would also work.

 

With regards the ASA NAT configurations the most important thing in new software levels (8.3+) is that you make sure that there is no NAT configurations that would perform NAT for the public subnet so they can connect to the Internet directly with their actual configured IP addresses.

 

Let me know if I understood something wrong.

 

Hope this helps :)

 

- Jouni

408
Views
0
Helpful
6
Replies
CreatePlease login to create content