Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat configuration

My ASA has an existing overloaded nat in place for all the connections going out.
like nat ( inside ) 1 0.0.0.0 0.0.0.0
i need to configure a seperate nat for outgoing translation with a set of ip's.
local ip's are 192.168.100.1 to 192.168.100.3 & it is to be natted with 202.88.116.27. Please help on how to configure this for use by these ip's only.

thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: nat configuration

Hello,

If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.

Hope this helps.

Regards,

NT

5 REPLIES
Cisco Employee

Re: nat configuration

Hello,

You can specify another NAT pool and specify specific source addresses that will be using that pool. In dynamic NAT, the firewall uses specific translation first before using the generic pool.

Global (outside) 2 202.88.116.27

Nat (inside) 2 192.168.100.0 255.255.255.252

Above configuration enables all the hosts between 192.168.100.0 to 100.3 to use the 202.88.116.27 address (since 100.0 is the network address, you will not see any traffic from that address).

Hope this helps.

Regards,

NT

New Member

Re: nat configuration

thanks for your reply. wouldnt i need to deny this pool being used by other internal ip's for nat.

Cisco Employee

Re: nat configuration

Hello,

Once the firewall picks one pool, it will not look for the second pool. The firewall always picks the longest (best) match for every source address (sometimes it will also check the destination address if you have configured policy nat). So, you do not need to explicitly deny an address from using a pool.

Hope this helps.

Regards,

NT

New Member

Re: nat configuration

ok, my intention is to ensure that this second global IP is not being used  by other ip's except for 192.168.100.1 to 192.168.100.3.

nat ( inside ) 1 0.0.0.0 0.0.0.0 - this nat is using another global ip address for general overload. I want to ensure ip's from this range doesnt try to use

the second global ip for nat.


Would it be possible without any additional config.

Thanks in advance.

Cisco Employee

Re: nat configuration

Hello,

If you configure "nat (inside) 2 192.168.100.0 255.255.255.252" only addresses covered in the range can use the nat pool identified by number 2. You do not need any other configuration to block other IP addresses from using the range.

Hope this helps.

Regards,

NT

156
Views
3
Helpful
5
Replies