Cisco ASA 8.4 "few to many" nat question

hello expert
my ASA configuration as below:
object network test_internal
 range 10.1.1.200 10.1.1.254
object network test_external
 range 203.94.35.4 203.94.35.250
object network test_pat
 range 203.94.35.251 203.94.35.254

nat (inside,outside) source dynamic test_internal test_external
nat (inside,outside) source dynamic test_internal pat-pool test_pat


while one host of 10.1.1.x access to internet it will mapped to one of 203.94.35.x, absolutely real IP is less than mapped IP pools.
my question is: does it possible configure some parameter on the ASA, the mapped IP address could being changed frequently while hosts access to internet?

thank you
beardog1113Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
mapped IP is when you have applications that really need to have connections from the internet opened to them.  dynamic mapped IP's are fairly rare and are still usually for that purpose because of the way the protocol works its using; VoIP is a good example.

So if you want a "mapped IP" to "frequently" switch between internal hosts I would recommend just doing a straight PAT.  The reason is that if you change the mapping of the IP before the client may be done with it completely then you'll break the app that might need it; which makes believe you don't have an app that requires this feature.  So I would just do static mapped IPs on servers and stay with PAT for anything that isn't a server.

Or is there an application requirement that requires you to have mapped IPs on clients.  Or if you don't have enough public IPs to go around for your servers, just do static PAT for those and static NAT (mapped IP) for those that truly need it (like an email server would be a good example; web server not so much).
0
beardog1113Author Commented:
hello
i have few host but with much enough public IP, i don't need access from internet to my host, i just need hosts access to internet, mapped IP address could being changed frequently.
for example, once host 10.1.1.200 initiate a connection to google.com, mapped address is using 203.94.35.4
but at the same time this host initiate a connection to microsoft.com, mapped address is using 203.94.35.5, and so on.

thank you
0
Cyclops3590Commented:
ok, in that case, forget the nat statements you have and just use simple outside interface PAT.  Since you're using 8.3+ code, you need to use a config like the following:

object network inside_lan
    subnet 10.1.1.0 255.255.255.0
    nat (inside,outside) dynamic interface


This will PAT all of the internal hosts to the IP assigned to your outside interface.  This is a very common way for providing internet access to inside hosts that have non-routable IPs.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

beardog1113Author Commented:
hello
if i am using your configuration, mapped IP address only be IP of outside interface right?
i need the mapped IP could changed randomly.

any advice?

thanks
0
Cyclops3590Commented:
yes, it would only map via PAT to the outside interface IP.  I don't believe you can specify multiple dynamic PAT addresses; at least I can't find an example of that.  The only thing you can do is have a dynamic NAT pool with a dynamic PAT address as a backup.  But you can't have a "mapped IP" change randomly.

What is the reason that you to have multiple PAT addresses for your inside hosts?  Sorry, but I don't understand the technical reason for what you're describing.  It sounds like what you're trying to do is overkill to be honest, but I'm not sure I completely understand what you're trying to accomplish.
0
beardog1113Author Commented:
hello
thats correct i have multiple addresses to be used as PAT pool, my requirement is:
for example once an inside host going to access www.google.com the ASA using public_address_1, if the host access to www.microsoft.com the ASA using public_address_2, of course public_address_1 and 2 are in PAT pool.
are you clear about my description?

thank you
0
shekarkanubaddiCommented:
yes you can do that. If you are using asdm to configure the PAT rule use round robin option. otherwise

nat (inside,outside) source dynamic test_internal pat-pool test_pat round-robin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
beardog1113Author Commented:
thanks, this looks like reasonable, i will test it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.