Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

can we nat single ip to 2 different public ip's

Dear All,

I have query regarding nat on firewall.  I have 2 different provider pools and I have single FW. I want my servers to get natted to these public ip's on ASA. Is there any mechanism using which we can nat this single sever ip to 2 different provider ip address ranges ?

waiting for valuable comments.

Thanks and Regards,

Mangesh.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: can we nat single ip to 2 different public ip's

Mangesh,

Well there is no problem to do the actual NAT itself to two different interfaces, at least from configuration point of view. (either static or dynamic translations)

Problem is how do you organize the routing. There is no PBR on the ASA. How do you tell traffic to come out through one interface and not the other.

Unless you intend to have only specific destinations available via outside2 and outside1 being your default.

In theory ASA should do per src/dst load balancing of default routes, however I have not tried it out for default routes spread on two different interfaces, but I see no restriction in command reference.

I hope I'm not too cryptic, if there's something not clear let me know,

Marcin

4 REPLIES
Cisco Employee

Re: can we nat single ip to 2 different public ip's

Mangesh,

If there is only one interface I would say "no".

The logic ASA is following is to NAT particular host on inside to a host on outside. Rather then logic of translating particular extarnal IP to an IP on inside - that's long story short ;-)

I'm also curious how routing would look like ;-)

Marcin

New Member

Re: can we nat single ip to 2 different public ip's

Hi Marcin,

Thanks for your reply.

I understood your point so let me frame my question in better way to finalise this discussion.

I am having one inside interface on ASA and I have 2 outside interfaces named outside1 and outside2.

Lets say I have 192.168.10.0/28 subnet to be natted for outside internet access.

So now can I nat this subnet present on inside interface to outside1 and outside2 of single ASA.


Thanks and Regards,

Mangesh.

Cisco Employee

Re: can we nat single ip to 2 different public ip's

Mangesh,

Well there is no problem to do the actual NAT itself to two different interfaces, at least from configuration point of view. (either static or dynamic translations)

Problem is how do you organize the routing. There is no PBR on the ASA. How do you tell traffic to come out through one interface and not the other.

Unless you intend to have only specific destinations available via outside2 and outside1 being your default.

In theory ASA should do per src/dst load balancing of default routes, however I have not tried it out for default routes spread on two different interfaces, but I see no restriction in command reference.

I hope I'm not too cryptic, if there's something not clear let me know,

Marcin

Cisco Employee

Re: can we nat single ip to 2 different public ip's

Mangesh,

A correction on my side. I did a quick lab test - you cannot configure double default out differet interface.

You'll recive this error if you try:

ERROR: Cannot add route entry, conflict with existing routes

(you can still add the route but with a higher metric)

So your best guess is load-balancing per destination or just using another ISP as a fallback. Since ASA is not a load balancer there will always be problem to do this in a scalable way.

Marcin

295
Views
0
Helpful
4
Replies
CreatePlease to create content