How to achieve PAT for one of two outside interfaces only?
I am looking for help in setting up address translation on an ASA (version 7.2) with the following scenario:
-- four network interfaces: inside, DMZ1, DMZ2, outside
-- inside and DMZ1 have limited number of subnets, DMZ2 has many subnets (routing via OSPF), outside is Internet (routing via static default route)
-- source addresses should be translated to a global address (PAT) for communications from inside or DMZ1 to outside (DMZ2 does not need to communicate with outside)
-- real addresses without translation (source or destination) should be used for communications between inside, DMZ1 and DMZ2
The problem I could not overcome is the "nat (inside)" configuration: the subnets in DMZ2 (and DMZ1) need to be exempted, but there are too many to make an ACL viable. Besides, this would thwart the advantage of using a routing protocol instead of static routing.
Can anybody suggest a NAT configuration that achieves the desired results?
Re: How to achieve PAT for one of two outside interfaces only?
thank you, basically this would work. Unfortunately, DMZ2 has a couple of hundreds of subnets, which also change frequently (this is why I use a routing protocol on that interface). Therefore, I am looking for a configuration where I do not need to enumerate the DMZ2 subnets in an ACL (or object group). Any suggestions?
DMZ1 has only the connected subnet, so this is no problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...