Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CISCO ASA 5500 Multiple NATs

I want to be able to expose a certain internal( IP with different Public Nat IP's for different clients on the same interface on a cisco ASA 5500

e.g    for  client 1
   for  client 2
 for  cleint 3
   for  client 4

How do i achieve this?


CISCO ASA 5500 Multiple NATs


You need to be running 8.3 or above.

If you have the IPs for the clients (where they are coming from), you can create a policy NAT to expose the internal IP to a different one for each client.


Community Member

CISCO ASA 5500 Multiple NATs

I had it configured like this,except this created issues with traffic initiated from to the clients as it wouldn't know which IP to Nat it to as it exits the firewall interface, but inboud traffic worked properly. All the clients connect to a range of ports (1033 - 1038)

access-list test1 permit ip host any

static(inside,dmz4) access-list test1

access-list test2 permit ip host any

static(inside,dmz4) access-list test2

access-list test3 permit ip host any

static(inside,dmz4) access-list test3

access-list test4 permit ip host any

static(inside,dmz4) access-list test4

Basically my situation is i have four different groups of clients that need to access a service on, but i want

each group to connect to a different IP, hence the four way NAT requrement. One more thing is also needs to connect to some clients to access services on their side.

What i eventually did was i created an object group for each group of clients that need access to a specific external Natted IP, so i had four object-groups,with this i was hoping that it would NAT to a different IP depending on what object group the source IP belongs to and Nat to the correct external IP. Below are the NAT configurations.

access-list test5 permit ip host object-group test9

static (inside, dmz4)  access-list test5

access-list test6 permit ip host object-group test10

static (inside, dmz4) access-list test6

access-list test7 permit ip host object-group test11

static(inside,dmz4) access-list test7

access-list test8 permit ip host object-group test12

static(inside,dmz4) access-list test8

I hope this clarifies my requirement and scenario. Your help will be greatly appreciated.

CreatePlease to create content