nat 2 subnets same asa interface

Does anyone know if you can NAT 2 subnets from outside to inside interfaces on ASA 5510?
We have an existing outside public subnet (example: through ATT) and are adding a Verizon FIOS connection in order to do PBR. I want all traffic to egress via the ASA's however the outside interface is assigned and then 2-127 are available for NAT translations to the inside (say
The existing ISP outside the ASA on our border router simply routes the (3) T1 IP's (say which are 3 NLB T1's, to the public side of the ASA (via 1 routed port between the 2 devices.) With no additional empty physical interfaces on the ASA and only 1 empty interface on the border router (so I cant get 2 routed interfaces back to the ASA becasue I need the remaining empty one for the FIOS link to come in), can I simply terminate the FIOS link into the border router, then either NAT it to an ATT IP to get it through the ASA or assign a second IP (verizon IP) to the outside of the ASA on the same public interface? You see the challenge. Maybe somethign I haven't though of yet?? Thanks so much folks.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

marksheeksAuthor Commented:
I want to seperate the traffic flows but the first issue is how to traverse the firewall.
ATT and Verizon are giving us 2 different subnets of course.
Justin EllenbeckerIT DirectorCommented:
I have a barracuda here you can just exempt a range of IPs and the traffic will not show up in the logs at all.  Nor will it try to filter it.  Just put the VLAN 6 range in the Exemption list
marksheeksAuthor Commented:
I understand, thanks. Doing this now as well. We have some trafic however that we don;t want to even traverse it. Our Barracuda is undersized and even ignoring the traffic, it is is overwhelmed by the load. The first part I have figured out now (the barracuda bypass link) but the ASA piece troubles me.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

marksheeksAuthor Commented:
ok so sorry, to be more specific: I have an ip address and subnet assigned to the outside interface of the ASA. Now I want to add another subnet outside it (the Verizon subnet) which does not seem like something it will want to do. OR, I could maybe NAT the Verizon IP to an ATT IP to get it into the ASA?
Or a better idea? router on stick or . . .
Hopefully Verizon will assign you a network block that's different than the transport network it'll use to communicate to your 2851 border router.  That will let you terminate the Verizon link directly on your border router using the transport /30 that they'll allocate for that purpose.  Then the allocated network can be directly routed straight into the ASA on it's existing external IP number (the AT&T one).  I.e.:

(say is your routed network from verizon)
on your border router:
ip route

Then on your ASA you can directly NAT into that new IP block.

static (inside,outside) netmask
global (outside) 1

On your border router configure the policy routing to match the IP block for Verizon IP block, and use the set next-hop option to route it directly out the Verizon interface.

Works great, I've done it before as well to split Internet traffic through 2 connections.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marksheeksAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.