Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

firewall nat

this ASA has existing basic nat rule ,

     global (Internet-facing) 1 interface

     nat (local) 1 0.0.0.0 0.0.0.0

Public interface ip is 210.19.56.71

now, if we want to have different nat for only a single user using a different public IP. how can this be done , so it also doesnt affect other users.

eg, this single user has 192.168.100.10 IP and other public ip is 210.19.56.73.

will it work alongwith existing rule, if it is configured following way-

       global (Internet-facing) 4 interface

       nat (local) 4 192.168.100.10 255.255.255.255

Please help.Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: firewall nat

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

7 REPLIES
Cisco Employee

Re: firewall nat

Hello,

Yes, you can use a different global pool and a different IP for that.

global (Internet-facing) 4 210.19.56.73

nat (local) 4 192.168.100.10 255.255.255.255

This will ensure that host 192.168.100.10 will use .73 address when going to

internet.

Hope this helps.

Regards,

NT

Cisco Employee

Re: firewall nat

Yes, it will work, however, please be advised that it is only for outbound connection. If you need both, then you would need to configure static NAT statement:

static (local,Internet-facing) 210.19.56.73 192.168.100.10 netmask 255.255.255.255

And the global statement should be as follows if you want to configure nat/global pair:

global (Internet-facing) 4  210.19.56.73

Hope that helps.

Cisco Employee

Re: firewall nat

Hello Halijenn,

I think when it comes to dynamic NAT, the best match is considered not the

order.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgna

t.html#wp1042696

Regards,

NT

Cisco Employee

Re: firewall nat

NT is correct.

NAT ORDER OF OPERATIONS


The rules are tried in order.

    1) nat 0 access-list (nat-exempt)
    2) match against existing xlates
    3) static
       a) static nat with and without access-list (first match)
       b) static pat with and without access-list (first match)
    4) nat
       a) nat access-list (first match)
       Note: nat 0 access-list is not part of this command.
       b) nat
(best match)
       Note:  When choosing a global address from multiple pools with
            the same nat id, the following order is tried
            i) if the id is 0, create an identity xlate.
            ii) use the global pool for dynamic NAT
            iii) use the global pool for dynamic PAT
    5) Error

-KS
Cisco Employee

Re: firewall nat

Thanks Kusankar, NT.

I've updated my previous post.

New Member

Re: firewall nat

does that mean if : global (Internet-facing) 1 interface & nat (local) 1 0.0.0.0 0.0.0.0 is before global (Internet-facing) 4 interface &  nat (local) 4 192.168.100.10 255.255.255.255 ; the host 192.168.100.10 might use nat1 instead of nat4 based on order.

if so, will i have to reverse the order? & how to arrange in that sequence if nat 1 already exists.

please correct if this is wrong.

thanks

Cisco Employee

Re: firewall nat

Hello,

As long as your NAT statement is specific to a host, order does not matter.

You can leave t the way it is right now.

Regards,

NT

474
Views
8
Helpful
7
Replies