Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How to Nat a pool of ip's in cisco asa - Help

Hi,

I have a problem where I'd like to nat a pool of ip's in my dmz to a single or pool of ip's on my inside network. I have a vpn device that is going to hand out a range of ip to vpn clients, the range is 172.15.16.0/24. The dmz is on the range 10.45.96.0/24. I'd like to nat these vpn pool of ip's 172.15.16.0/24 to a single or pool of ip addresses on my inside interface (10.45.60.0) on my cisco asa. Can someone please help me with the configuration?

Also how can I restrict this range of ip's i.e the VPN pool or the natted inside pool to accessing a few pre-determined ip's and port numbers, i.e where can I place the acl before or after nat?

Many thanks

Dan

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: How to Nat a pool of ip's in cisco asa - Help

Dan

To a single IP

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to a pool

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to restrict access use an outbound acl on the inside interface.

Jon

7 REPLIES
Hall of Fame Super Blue

Re: How to Nat a pool of ip's in cisco asa - Help

Dan

To a single IP

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to a pool

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1

to restrict access use an outbound acl on the inside interface.

Jon

New Member

Re: How to Nat a pool of ip's in cisco asa - Help

Hi Jon,

Many Many thanks for that. Can I just ask is there a benfit of using either single or multiple ip's for the inside ip's?

Thanks

Dan

Hall of Fame Super Blue

Re: How to Nat a pool of ip's in cisco asa - Help

Dan

Depends on a couple of things

1) If you use a single address then it will have to do PAT (port address translation). This is fine as long as it doesn't break the application which it can do.

2) More importantly if you use a single address it is a lot harder to tie that to the real IP address. If you want to log what the VPN clients are doing then it is easier to do a one-to-one translation, log this translation and then track down what that Natted IP address did.

3) The other one is obviously a shortage of addresses which is often why PAT is used going from inside to the Internet. But that doesn't apply in this case as you can use any private addressing you like.

Jon

New Member

Re: How to Nat a pool of ip's in cisco asa - Help

You're a star Jon.

Many thanks

Dan

Hall of Fame Super Blue

Re: How to Nat a pool of ip's in cisco asa - Help

No problem, glad to have helped.

New Member

Re: How to Nat a pool of ip's in cisco asa - Help

Hi Jon,

One more question. What is the point of the static command doesn't this do the natting? How does it differ to your suggested solution?

Thanks

Dan

Hall of Fame Super Blue

Re: How to Nat a pool of ip's in cisco asa - Help

Dan

The static command creates a permanent NAT translation and is bi-directional ie. connections can be initiated from both ways.

But all you want to do is NAT incoming VPN connections so you can do this dynamically because connections will only ever be initiated from the VPN client.

Jon

7880
Views
0
Helpful
7
Replies
CreatePlease to create content