Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

NAT Question

I have a general NAT question I hope you can help us with. We are converting from a large public ip address block (no NAT whatsoever) into a private address space using a combination of NAT / PAT, etc.

I think the ASA can do this without issue (version 8.04), but want to verify. On the Outside interface I have a completely different subnet than the public space I have inside. (Basically a /30 on the outside to the provider and a large /19 on the inside). Now, can I NAT this /19 to the Outside interface even though is is on a different subnet than the /30 assigned to the Outside?

Example (ip's changed to preserve the innocent):

Outside IP = 23.2.2.2 /30 (apologies to whoever owns this space)

Inside IP = 167.2.0.0 /19 (more apologies)

Can I NAT that 167.2.0.0 /19 to the Outside without issue?

Thanks for your assistance!

Jim

4 REPLIES
Hall of Fame Super Blue

Re: NAT Question

Jim

Yes no problem. I'm assuming you mean hide all the 167.2.0.0/19 addresses behind 23.2.2.2 ?

If so

nat (inside) 1 167.2.0.0 255.255.224.0

global (outside) 1 interface

If i have misunderstood let me know.

Jon

Bronze

Re: NAT Question

Thanks, Jon - that is part of it.

How about if we have public servers on an IP address example 167.2.1.1 (SMTP)? Can I simply create a statement like this and will this work? This host is currently assigned the public IP 167.2.1.1 right on its tcp/ip stack and it will now be assigned a private address like 10.1.226.223 (assume I have done all the routing inside correctly, etc).

static (Inside,Outside) tcp 167.2.1.1 25 10.1.226.223 25 netmask 255.255.255.255

Thanks for your help,

Jim

Hall of Fame Super Blue

Re: NAT Question

Jim

As long as any requests for 167.2.1.1 are routed to the outside interface of your ASA from the Internet then yes you should be fine.

Jon

Bronze

Re: NAT Question

Thanks, Jon. That is exactly what I wanted to verify.

124
Views
5
Helpful
4
Replies
CreatePlease to create content