Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Dynamic NAT vs Static

Hi everyone. I have an ASA with three interfaces. I have a NAT and Global statement that translates all my traffic destined for a server on DMZ interface appear as if it is coming from 10.0.0.10. I have another group of users who need to go to the same server on DMZ, but their source address needs to be 10.0.0.11. I was trying not to modify my NAT global statement and use a static translation. Is there a way to do this. This is the ASA config:

global (dmz) 5 10.0.0.10

nat (inside) 5 0.0.0.0 0.0.0.0

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Dynamic NAT vs Static

Hi

if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network

access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"

nat (inside) 6 access-list natusers

global (dmz) 10.0.0.11

HTH

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Dynamic NAT vs Static

Hi

if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network

access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"

nat (inside) 6 access-list natusers

global (dmz) 10.0.0.11

HTH

Jon

New Member

Re: Dynamic NAT vs Static

Jon, thanks for a fast response. My fear was that ASA will screem at me that scope is overalping with 0.0.0.0 0.0.0.0. I will try your suggestion right now.

Hall of Fame Super Blue

Re: Dynamic NAT vs Static

Hi

No it should be fine. I forgot to mention that you can use a static statement with policy NAT as well, it's just i don't normally do it this way eg.

access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"

static (inside,dmz) 10.0.0.11 access-list natusers

HTH

Jon

New Member

Re: Dynamic NAT vs Static

Looks like the commands went in fine. It will take me a little bit of time to test the actual connectivity, but I think that will work. Jon, thanks a bunch.

P.S.: I did the dynamic nat.

134
Views
0
Helpful
4
Replies
CreatePlease to create content