RE: Cisco ASA NAT questions

It is not going to work.

What about if two networks that are online are 10.0.3.0 and 10.0.4.0 . they
would show on the internet using same public ip address.

It would work if 10.0.1.0 and 10.0.3.0 are online. Thing is that I have no
control of which network will be online.

From: Piotr Matusiak [mailto:pitt2k_at_gmail.com]
Sent: Wednesday, September 08, 2010 1:13 PM
To: Marcin Zgola
Cc: ccielab_at_groupstudy.com
Subject: Re: Cisco ASA NAT questions

Marcin,

What about this:

access-list NET1 extended permit ip 10.0.1.0 255.255.255.0 any
access-list NET1 extended permit ip 10.0.2.0 255.255.255.0 any
access-list NET2 extended permit ip 10.0.3.0 255.255.255.0 any
access-list NET2 extended permit ip 10.0.4.0 255.255.255.0 any

nat (inside) 1 access-list NET1
nat (inside) 2 access-list NET2

global (outside) 1 11.12.13.14
global (outside) 2 11.12.13.15

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com<http://www.MicronicsTraining.com>
blog: www.ccie1.com<http://www.ccie1.com>
"If you can't explain it simply, you don't understand it well enough" - Albert
Einstein
2010/9/8 Marcin Zgola <MZgola_at_netrixllc.com<mailto:MZgola_at_netrixllc.com>>
But here is the problem. I apologize I should be more specific.
I have 100 NAT pools, and only 20 public ips.
So let's say 100 NAT pools corresponds to 100 VLANs on my network. But only 20
of these vlans will be used at any giving time.
I need each of these VLANs to always have its own public ip address.
Make sense?
-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>]
Sent: Wednesday, September 08, 2010 11:27 AM
To: Marcin Zgola; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: RE: Cisco ASA NAT questions
Marcin,
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On
> Behalf Of Marcin Zgola
> Sent: Wednesday, September 08, 2010 11:49 AM
>
>
> I want any hosts from 10.0.0.0/24<http://10.0.0.0/24> to be PATed from one
of the public ips
> from 100.100.100.0-100.100.100.4 pool
>
> Example:
> Host 10.0.1.122 PATed to 100.100.100.1
> Host 10.0.1.12  PATed to 100.100.100.1
> Host 10.0.2.123 PATed to 100.100.100.2
> Host 10.0.3.188 PATed to 100.100.100.3
>
If this is all you need, just assign a different NAT/Global to each range.
Nat (inside) 101 10.0.1.0 255.255.255.0
Global (outside) 101 100.100.100.1
 Nat (inside) 102 10.0.2.0 255.255.255.0
Global (outside) 102 100.100.100.2
.
.
.
When you enter the single address, the ASA will respond that all inside
addresses will have PAT applied. e.g. global (outside) 3 50.50.50.50
INFO: Global 50.50.50.50 will be Port Address Translated.
You can also do a combination of 1 to 1 NAT's with a fall back to PAT once the
range is exhausted.  As the translation expires, another host can grab that
1:1 NAT.
global (outside) 1 192.168.4.140-192.168.4.254 netmask 255.255.255.128
global (outside) 1 interface
HTH,
-ryan
Blogs and organic groups at http://www.ccie.net