01-29-2018 03:01 PM - edited 03-05-2019 09:50 AM
Hi, I have an ASA 5510 running 8.2(5). High-level, I'm looking to have two different internal networks use two different public IP addresses.
Right now, I am using the global pool for doing a dynamic NAT for all internal networks out the outside interface. I also have the global NAT pool being used for all internal networks accessing the DMZ using the DMZ interface, using the same number.
global (DMZ) 101 interface
global (outside) 101 interface
nat (inside) 101 10.100.0.0 255.255.0.0
nat (inside) 101 192.168.0.0 255.255.0.0
I can create a new global pool with a new number (like 102) and assign the external IP that I want to use to that pool, then create a dynamic NAT with that new global pool.
global (outside) 103 <public IP> <netmask>
nat (inside) 103 192.168.0.0 255.255.0.0
Testing with What's My IP Address shows now that the new public IP address is now being used. Problem solved, you would think, but no. Now I cannot access anything in the DMZ because that network doesn't have a global pool for the DMZ interface. And I cannot add one because it conflicts with the original global pool 101.
My goal here is to have a separate public IP address used for our internet guest network (192.168.0.0) than what's used for the internet production network (10.x.x.x), but they still need to access DMZ resources. What am I missing?
Thanks!
01-29-2018 04:04 PM
In reading more about NAT'ing, I think the line I put in there for the global NAT to redirect that network out the public IP would only be good for one client going to the internet:
global (outside) 103 <public IP> <netmask>
Am I correct? So maybe this wasn't the correct way to do it in the first place!
Thanks
01-29-2018 05:12 PM
Ok, I've got quite the thread going with myself here. :P
So, some more testing and I've found that more than one client is able to get to the internet with that same one IP address when I have that global NAT pool created. Next thing I tried, since I was unable to create another pool for the DMZ interface because it was already in use, I created a pool using the next IP address of the DMZ. So, DMZ interface is 172.16.35.1 and I just created a pool using 172.16.35.2. That made it work! So, the config is:
global (DMZ) 101 interface
global (outside) 101 interface
global (outside) 103 <second public IP> <netmask>
global (DMZ) 103 172.16.35.2 255.255.255.255
nat (inside) 101 10.100.0.0 255.255.0.0
nat (inside) 103 192.168.0.0 255.255.0.0
I can say it's working, but have no idea if it's the right way to do it or not, or what else I may have broken by doing that. Any help and an extra set of eyes is much appreciated.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide