Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy-Based PAT

Hi,

I'm setting up an ASA5520 and need to setup each subnet I'm running behind the firewall with a separate public ip address. I think I can do this with policy-based nat, but now that I look at the documentation, maybe not.

Here's what I want to try:

nat (inside) 10 access-list ITS-pat

access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w

nat (inside) 20 access-list HR-pat

access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t

Does it look like this will work? I'm not sure how I would test it until I put it into place.

Thanks!

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Policy-Based PAT

Jeff,

Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.

HTH pls rate!

8 REPLIES
Silver

Re: Policy-Based PAT

Jeff,

Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.

HTH pls rate!

New Member

Re: Policy-Based PAT

Thanks Mike!

It would look something like this?

global (outside) 10 z.y.x.w

nat (inside) 10 access-list ITS-pat

access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w

global (outside) 20 z.y.x.t

nat (inside) 20 access-list HR-pat

access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t

Also, this would pat the internal subnets a.b.c.d to z.y.x.w

and

a.b.c.e to z.y.x.t

Right?

Thanks again!

Jeff

Silver

Re: Policy-Based PAT

Yes! I have used such a config with success before. Good luck and please rate my post if you found it helpful!

-mike

New Member

Re: Policy-Based PAT

Thanks!

New Member

Re: Policy-Based PAT

Also, any ideas on how to test this? I'm not putting it in place for a while. I've always used nwtools.com to provide reversed ip lookup, don't know of anything windows based that would do the same.

Silver

Re: Policy-Based PAT

The most reliable way is to use an old pix or one that is designated for future use that you can mock your config up with.

New Member

Re: Policy-Based PAT

I'm doing that now. Do you have any suggestions for testing the nat on an internal network?

New Member

Re: Policy-Based PAT

Correction to the above rules:

It should be:

access-list PAT1 permit ip a.b.c.d 255.255.255.0 any

nat (inside) 10 access-list PAT1

global (outside) 10 z.y.x.w

access-list PAT2 permit ip a.b.c.e 255.255.255.0 any

nat (inside) 20 access-list PAT2

global (outside) 20 z.y.x.t

Let me know if there should be any other corrections...

248
Views
0
Helpful
8
Replies
CreatePlease to create content