Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
3
Replies

NAT related question -

S891
Level 2
Level 2

‎11-26-2013 11:40 AM - edited ‎03-11-2019 08:09 PM

Hi,


I have a question about using static NAT of ASA/FWSM. I'm doing some static NATs for our private servers on FWSM. I'm running out of public IP on the OUTSIDE subnet on the Firewall. We have some public IPs available on other internal subnets/VLANs that are not extended to the firewall.

I was wondering if I can use the public IP from internal subnet as for static NAT? For example, my OUTSIDE network is 120.30.46.0/24.


I don’t want to use any IP from this network for static NAT. Instead I want to use an internal public network IP address .10 to statically NAT an internal private IP 172.20.48.10. I am not using this network (120.30.41.x) on any interface of Firewall. Is it possible?


I do have routing in place. Both 120.30.41.x and 172.20.48.x are on INSIDE. I tried to do the following but it didn’t work:

Static (inside,inside) 120.30.41.10 172.20.48.10 netmask 255.255.255.255

I also added alias command but it did not help either.

Alias (inside) 120.30.41.10 172.20.48.10 255.255.255.255

Does anyone have any suggestion to make it work?

thanks !!

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-26-2013 12:52 PM

Hello Fawad,

Removed the commands you entered and add the following:

static (inside,outside) 120.30.41.10 172.20.48.10

With Proxy-ARP the ASA whould reply to those packets, if this still does not work, share the following

packet-tracer input outside tcp 4.2.2.2 1025 120.30.41.10 80 (If this is not a web-server then use the right service)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jumora
Level 7
Level 7
In response to Julio Carvajal

‎11-26-2013 09:02 PM

The ASA outside interface I believe has its own ISP, if that ISP is not routing that network then the answer is no.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

S891
Level 2
Level 2
In response to Julio Carvajal

‎11-27-2013 08:20 AM

It worked with at simple static (inside,outside). Thanks Julio !

For iternal user I had to use an alias.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card