09-08-2010 06:25 PM - edited 03-11-2019 11:37 AM
this ASA has existing basic nat rule ,
global (Internet-facing) 1 interface
nat (local) 1 0.0.0.0 0.0.0.0
Public interface ip is 210.19.56.71
now, if we want to have different nat for only a single user using a different public IP. how can this be done , so it also doesnt affect other users.
eg, this single user has 192.168.100.10 IP and other public ip is 210.19.56.73.
will it work alongwith existing rule, if it is configured following way-
global (Internet-facing) 4 interface
nat (local) 4 192.168.100.10 255.255.255.255
Please help.Thanks in advance!
Solved! Go to Solution.
09-08-2010 07:06 PM
Hello,
As long as your NAT statement is specific to a host, order does not matter.
You can leave t the way it is right now.
Regards,
NT
09-08-2010 06:28 PM
Hello,
Yes, you can use a different global pool and a different IP for that.
global (Internet-facing) 4 210.19.56.73
nat (local) 4 192.168.100.10 255.255.255.255
This will ensure that host 192.168.100.10 will use .73 address when going to
internet.
Hope this helps.
Regards,
NT
09-08-2010 06:31 PM
Yes, it will work, however, please be advised that it is only for outbound connection. If you need both, then you would need to configure static NAT statement:
static (local,Internet-facing) 210.19.56.73 192.168.100.10 netmask 255.255.255.255
And the global statement should be as follows if you want to configure nat/global pair:
global (Internet-facing) 4 210.19.56.73
Hope that helps.
09-08-2010 06:36 PM
Hello Halijenn,
I think when it comes to dynamic NAT, the best match is considered not the
order.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgna
t.html#wp1042696
Regards,
NT
09-08-2010 06:39 PM
NT is correct.
NAT ORDER OF OPERATIONS
The rules are tried in order.
1) nat 0 access-list (nat-exempt)
2) match against existing xlates
3) static
a) static nat with and without access-list (first match)
b) static pat with and without access-list (first match)
4) nat
a) nataccess-list (first match)
Note: nat 0 access-list is not part of this command.
b) nat(best match)
Note: When choosing a global address from multiple pools with
the same nat id, the following order is tried
i) if the id is 0, create an identity xlate.
ii) use the global pool for dynamic NAT
iii) use the global pool for dynamic PAT
5) Error
-KS
09-08-2010 06:59 PM
Thanks Kusankar, NT.
I've updated my previous post.
09-08-2010 07:03 PM
does that mean if : global (Internet-facing) 1 interface & nat (local) 1 0.0.0.0 0.0.0.0 is before global (Internet-facing) 4 interface & nat (local) 4 192.168.100.10 255.255.255.255 ; the host 192.168.100.10 might use nat1 instead of nat4 based on order.
if so, will i have to reverse the order? & how to arrange in that sequence if nat 1 already exists.
please correct if this is wrong.
thanks
09-08-2010 07:06 PM
Hello,
As long as your NAT statement is specific to a host, order does not matter.
You can leave t the way it is right now.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide