• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1014
  • Last Modified:

nat 2 subnets same asa interface

Does anyone know if you can NAT 2 subnets from outside to inside interfaces on ASA 5510?
We have an existing outside public subnet (example: through ATT) and are adding a Verizon FIOS connection in order to do PBR. I want all traffic to egress via the ASA's however the outside interface is assigned and then 2-127 are available for NAT translations to the inside (say
The existing ISP outside the ASA on our border router simply routes the (3) T1 IP's (say which are 3 NLB T1's, to the public side of the ASA (via 1 routed port between the 2 devices.) With no additional empty physical interfaces on the ASA and only 1 empty interface on the border router (so I cant get 2 routed interfaces back to the ASA becasue I need the remaining empty one for the FIOS link to come in), can I simply terminate the FIOS link into the border router, then either NAT it to an ATT IP to get it through the ASA or assign a second IP (verizon IP) to the outside of the ASA on the same public interface? You see the challenge. Maybe somethign I haven't though of yet?? Thanks so much folks.

  • 4
1 Solution
marksheeksAuthor Commented:
I want to seperate the traffic flows but the first issue is how to traverse the firewall.
ATT and Verizon are giving us 2 different subnets of course.
Justin EllenbeckerIT DirectorCommented:
I have a barracuda here you can just exempt a range of IPs and the traffic will not show up in the logs at all.  Nor will it try to filter it.  Just put the VLAN 6 range in the Exemption list
marksheeksAuthor Commented:
I understand, thanks. Doing this now as well. We have some trafic however that we don;t want to even traverse it. Our Barracuda is undersized and even ignoring the traffic, it is is overwhelmed by the load. The first part I have figured out now (the barracuda bypass link) but the ASA piece troubles me.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

marksheeksAuthor Commented:
ok so sorry, to be more specific: I have an ip address and subnet assigned to the outside interface of the ASA. Now I want to add another subnet outside it (the Verizon subnet) which does not seem like something it will want to do. OR, I could maybe NAT the Verizon IP to an ATT IP to get it into the ASA?
Or a better idea? router on stick or . . .
Hopefully Verizon will assign you a network block that's different than the transport network it'll use to communicate to your 2851 border router.  That will let you terminate the Verizon link directly on your border router using the transport /30 that they'll allocate for that purpose.  Then the allocated network can be directly routed straight into the ASA on it's existing external IP number (the AT&T one).  I.e.:

(say is your routed network from verizon)
on your border router:
ip route

Then on your ASA you can directly NAT into that new IP block.

static (inside,outside) netmask
global (outside) 1

On your border router configure the policy routing to match the IP block for Verizon IP block, and use the set next-hop option to route it directly out the Verizon interface.

Works great, I've done it before as well to split Internet traffic through 2 connections.
marksheeksAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now