Cisco ASA 8.4 "few to many" nat question
hello expert
my ASA configuration as below:
object network test_internal
range 10.1.1.200 10.1.1.254
object network test_external
range 203.94.35.4 203.94.35.250
object network test_pat
range 203.94.35.251 203.94.35.254
nat (inside,outside) source dynamic test_internal test_external
nat (inside,outside) source dynamic test_internal pat-pool test_pat
while one host of 10.1.1.x access to internet it will mapped to one of 203.94.35.x, absolutely real IP is less than mapped IP pools.
my question is: does it possible configure some parameter on the ASA, the mapped IP address could being changed frequently while hosts access to internet?
thank you
my ASA configuration as below:
object network test_internal
range 10.1.1.200 10.1.1.254
object network test_external
range 203.94.35.4 203.94.35.250
object network test_pat
range 203.94.35.251 203.94.35.254
nat (inside,outside) source dynamic test_internal test_external
nat (inside,outside) source dynamic test_internal pat-pool test_pat
while one host of 10.1.1.x access to internet it will mapped to one of 203.94.35.x, absolutely real IP is less than mapped IP pools.
my question is: does it possible configure some parameter on the ASA, the mapped IP address could being changed frequently while hosts access to internet?
thank you
Last Comment
ASKER
hello
i have few host but with much enough public IP, i don't need access from internet to my host, i just need hosts access to internet, mapped IP address could being changed frequently.
for example, once host 10.1.1.200 initiate a connection to google.com, mapped address is using 203.94.35.4
but at the same time this host initiate a connection to microsoft.com, mapped address is using 203.94.35.5, and so on.
thank you
i have few host but with much enough public IP, i don't need access from internet to my host, i just need hosts access to internet, mapped IP address could being changed frequently.
for example, once host 10.1.1.200 initiate a connection to google.com, mapped address is using 203.94.35.4
but at the same time this host initiate a connection to microsoft.com, mapped address is using 203.94.35.5, and so on.
thank you
ok, in that case, forget the nat statements you have and just use simple outside interface PAT. Since you're using 8.3+ code, you need to use a config like the following:
object network inside_lan
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
This will PAT all of the internal hosts to the IP assigned to your outside interface. This is a very common way for providing internet access to inside hosts that have non-routable IPs.
object network inside_lan
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
This will PAT all of the internal hosts to the IP assigned to your outside interface. This is a very common way for providing internet access to inside hosts that have non-routable IPs.
ASKER
hello
if i am using your configuration, mapped IP address only be IP of outside interface right?
i need the mapped IP could changed randomly.
any advice?
thanks
if i am using your configuration, mapped IP address only be IP of outside interface right?
i need the mapped IP could changed randomly.
any advice?
thanks
yes, it would only map via PAT to the outside interface IP. I don't believe you can specify multiple dynamic PAT addresses; at least I can't find an example of that. The only thing you can do is have a dynamic NAT pool with a dynamic PAT address as a backup. But you can't have a "mapped IP" change randomly.
What is the reason that you to have multiple PAT addresses for your inside hosts? Sorry, but I don't understand the technical reason for what you're describing. It sounds like what you're trying to do is overkill to be honest, but I'm not sure I completely understand what you're trying to accomplish.
What is the reason that you to have multiple PAT addresses for your inside hosts? Sorry, but I don't understand the technical reason for what you're describing. It sounds like what you're trying to do is overkill to be honest, but I'm not sure I completely understand what you're trying to accomplish.
ASKER
hello
thats correct i have multiple addresses to be used as PAT pool, my requirement is:
for example once an inside host going to access www.google.com the ASA using public_address_1, if the host access to www.microsoft.com the ASA using public_address_2, of course public_address_1 and 2 are in PAT pool.
are you clear about my description?
thank you
thats correct i have multiple addresses to be used as PAT pool, my requirement is:
for example once an inside host going to access www.google.com the ASA using public_address_1, if the host access to www.microsoft.com the ASA using public_address_2, of course public_address_1 and 2 are in PAT pool.
are you clear about my description?
thank you
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thanks, this looks like reasonable, i will test it.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
So if you want a "mapped IP" to "frequently" switch between internal hosts I would recommend just doing a straight PAT. The reason is that if you change the mapping of the IP before the client may be done with it completely then you'll break the app that might need it; which makes believe you don't have an app that requires this feature. So I would just do static mapped IPs on servers and stay with PAT for anything that isn't a server.
Or is there an application requirement that requires you to have mapped IPs on clients. Or if you don't have enough public IPs to go around for your servers, just do static PAT for those and static NAT (mapped IP) for those that truly need it (like an email server would be a good example; web server not so much).