cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10118
Views
0
Helpful
7
Replies

How to Nat a pool of ip's in cisco asa - Help

dan_track
Level 1
Level 1

Hi,

I have a problem where I'd like to nat a pool of ip's in my dmz to a single or pool of ip's on my inside network. I have a vpn device that is going to hand out a range of ip to vpn clients, the range is 172.15.16.0/24. The dmz is on the range 10.45.96.0/24. I'd like to nat these vpn pool of ip's 172.15.16.0/24 to a single or pool of ip addresses on my inside interface (10.45.60.0) on my cisco asa. Can someone please help me with the configuration?

Also how can I restrict this range of ip's i.e the VPN pool or the natted inside pool to accessing a few pre-determined ip's and port numbers, i.e where can I place the acl before or after nat?

Many thanks

Dan

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Dan

To a single IP

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to a pool

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to restrict access use an outbound acl on the inside interface.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Dan

To a single IP

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to a pool

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to restrict access use an outbound acl on the inside interface.

Jon

Hi Jon,

Many Many thanks for that. Can I just ask is there a benfit of using either single or multiple ip's for the inside ip's?

Thanks

Dan

Dan

Depends on a couple of things

1) If you use a single address then it will have to do PAT (port address translation). This is fine as long as it doesn't break the application which it can do.

2) More importantly if you use a single address it is a lot harder to tie that to the real IP address. If you want to log what the VPN clients are doing then it is easier to do a one-to-one translation, log this translation and then track down what that Natted IP address did.

3) The other one is obviously a shortage of addresses which is often why PAT is used going from inside to the Internet. But that doesn't apply in this case as you can use any private addressing you like.

Jon

You're a star Jon.

Many thanks

Dan

No problem, glad to have helped.

Hi Jon,

One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?

Thanks

Dan

Dan

The static command creates a permanent NAT translation and is bi-directional ie. connections can be initiated from both ways.

But all you want to do is NAT incoming VPN connections so you can do this dynamically because connections will only ever be initiated from the VPN client.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: