Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

inside to outside many to 1 hide mode nat

Hello

I'm new to ASA configurations and needing some help with a configuration on a 5555-X running 8.6 code. I need to allow multiple network ip ranges from my inside network to multiple subnets on the outside so that the outside systems only see incoming traffic from one ip address and it can not be from the ip address of the outside interface. I was able to do this with a zone-based firewall and IOS nat statements but having difficulty doing the same thing in ASA's os.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

 Hi ,  Its is pretty simple

 

Hi ,

  Its is pretty simple and straight forward , for your requirement you need to use ,

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283

Information About Dynamic PAT

Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.

Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.

Figure 27-10 Dynamic PAT

 

 

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).

 

NAT understanding

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address

HTH
sandy.

 

2 REPLIES

 Hi ,  Its is pretty simple

 

Hi ,

  Its is pretty simple and straight forward , for your requirement you need to use ,

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1114283

Information About Dynamic PAT

Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers.

Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

Figure 27-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.

Figure 27-10 Dynamic PAT

 

 

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).

 

NAT understanding

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Let me know if you need any help on this , you can do PAT with extra IP address which is available on outside interface . you need to have appropriate routing for the extra ip address

HTH
sandy.

 

Community Member

Thanks Sandy. That worked for

Thanks Sandy. That worked for me.

70
Views
0
Helpful
2
Replies
CreatePlease to create content