Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi All,

We are setting up a number of ASAs for use with corporate VPNs. When remote users connect using anyconnect they can hairpin out to the internet from Head Office and we need to allocate them a public IP address for this purpose. To avoid people getting the same public address each time they go to the internet we want to set up a pool of public addresses that will be randomly allocated to user of the VPN. Also, for their inbound connection we have a ddns that resolves to a single ip address for inbound connections. So, in summary clients connect to a single IP address on our ASAs, then hairpin out to the internet and are allocated a public IP address from a pool. We are looking at a few options to achieve this but would welcome any suggestions as to the best way to achieve this objective.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi,

To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.

I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.

So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be

Software 8.3 and above

same-security-traffic permit intra-interface

object-group network VPN-POOLS

description VPN User Address Pools

network-object 10.10.10.0 255.255.255.128

network-object 10.10.20.0 255.255.255.128

object network PUBLIC-POOL

range 1.1.1.1 1.1.1.254

nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface

Software 8.2 and below

same-security-traffic permit intra-interface

nat (outside) 200 10.10.10.0 255.255.255.0

nat (outside) 200 10.10.20.0 255.255.255.0

global (outside) 200 1.1.1.1-1.1.1.254

global (outside) 200 interface

I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.

Was this what you were looking for?

Hope this helps

- Jouni

5 REPLIES
Super Bronze

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi,

Well I guess you would simply configure a Dynamic NAT for the VPN users. You would have a pool/range of public IP addresses from which addresses would be allocated for VPN client as they connect to the Internet.

I am not sure what you are meaning with the inbound connections (unless you mean return traffic for connections initiated by the clients).

Naturally the NAT configuration format depends on your ASA software level as theres a major difference between 8.2 (and older) and 8.3 (and newer)

- Jouni

New Member

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi,

The inbound connections are for the VPN clients to ingress the ASAs, they then hairpin out to the internet where they are allocated a public IP address for their internet session. We will NAT them from the LAN VPN pool outbound, but its the allocation of a public ip address we are looking into. There wont be any local access so we don't need to set up a NAT exemption for the VPN users. Also, cant remember if the dynamic NAT allocates public addresses on a round robin or random basis, any ideas ??

Thanks,

Super Bronze

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi,

To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.

I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.

So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be

Software 8.3 and above

same-security-traffic permit intra-interface

object-group network VPN-POOLS

description VPN User Address Pools

network-object 10.10.10.0 255.255.255.128

network-object 10.10.20.0 255.255.255.128

object network PUBLIC-POOL

range 1.1.1.1 1.1.1.254

nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface

Software 8.2 and below

same-security-traffic permit intra-interface

nat (outside) 200 10.10.10.0 255.255.255.0

nat (outside) 200 10.10.20.0 255.255.255.0

global (outside) 200 1.1.1.1-1.1.1.254

global (outside) 200 interface

I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.

Was this what you were looking for?

Hope this helps

- Jouni

New Member

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi Jouni,

Thanks for your response and apologies for our delay in replying we had to set this up in the lab. Anyway this is the configuration we have decided to use so your answer was helpful thank you.

Regards,

Super Bronze

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Hi,

Thank you for getting back to me. Great to hear that it helped

- Jouni

312
Views
0
Helpful
5
Replies
CreatePlease to create content