NAT/PAT Configuration – How to NAT Two Internal Subnets to One WAN IP on ASA

cisco-asanat;

I have a working configuration on two Juniper Netscreen devices that I'm trying to replicate on an ASA 5505. Here's the scenario:

+-----+   77.77.77.77   +-----+ 10.20.0.0/24 *******
| WAN | =============== | ASA | ------------ * DMZ *
+-----+                 +-----+    VLAN 20   *******
                           |
                           |  10.30.0.0/24   ***********
                           +---------------- * Clients *
                                VLAN 30      ***********

I'm trying to perform PAT on both internal subnets (i.e. so all internal clients can access the internet). However, when I try to configure the NAT rules using ASDM, it says that there's a PAT range overlap. There must be some way to configure the NAT rules such that both zones/subnets can share an external PAT IP (just like in ScreenOS), but I haven't found it yet.

Unfortunately, ordering extra external IPs isn't an option at the moment, so I hope there's a way to do this without purchasing any more gear.

Best Answer

I think that should do it:

  object-group FOO
    network-object 10.30.0.0 255.255.255.0
    network-object 10.20.0.0 255.255.255.0

  object network BAR
    host 77.77.77.77

  nat (inside,any) source dynamic FOO BAR

Related Solutions

Vpn – ASA 5505 remote access VPN – Connection established, but no internet/access to internal subnet

In order for the client to be able to connect to resources outside of the VPN tunnel, a split tunnel must be configured. This will allow the adapter to inherit routes outside of it's own route table as well as allow the traffic out. Adding routes upon connect is only part of the issue.

Here is a link with instructions for the ADM and CLI http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

Vlan – ASA 5505 Assign Outbound IP to VLAN

This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:

: ASA Version 9.1(2) 

interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 50
!
interface Vlan1
  nameif outside
  security-level 0
  ip address 65.65.65.10 255.255.255.192 
!
interface Vlan2
 nameif net-inside
 security-level 100
 ip address 10.1.10.1 255.255.248.0 
!
interface Vlan50
 nameif net-voip
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
object network net-voip
 subnet 172.16.0.0 255.255.255.0
 nat (net-voip,outside) dynamic 65.65.65.20
!
nat (net-inside,outside) after-auto source dynamic any interface
!
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd address 172.16.0.100-172.16.0.127 net-voip
dhcpd dns 8.8.8.8 interface net-voip
dhcpd enable net-voip

I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the net-voip VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.

Best Answer

Related Solutions

Vpn – ASA 5505 remote access VPN – Connection established, but no internet/access to internal subnet

Vlan – ASA 5505 Assign Outbound IP to VLAN

Related Topic