1. Home
  2. Cisco Systems
  3. NATting just a small range of addresses on ASA 5505

NATting just a small range of addresses on ASA 5505

I would like to set my ASA 5505 to only NAT a range of addresses, for example static NAT 172.17.47.16 - 172.17.47.255 on my inside network, to addresses in the 10.96.96.* network which is a client's VPN range, while leaving some of the lower addresses available for separate static NAT. For example, I want the client's 10.96.96.3 to NAT to my DMZ's ftp server at 192.168.3.3 rather than to something on my inside network.

Can this be done without listing every in-house address separately as a separate static NAT entry? I know that will work, but it's a lot of work and maintenance effort?

Reply to
David Kerber
Loading thread data ...

Use netmask to aggregate: static (inside,outside) 10.96.96.16 172.17.47.16 netmask 255.255.255.240 static (inside,outside) 10.96.96.32 172.17.47.32 netmask 255.255.255.224 static (inside,outside) 10.96.96.64 172.17.47.64 netmask 255.255.255.192 static (inside,outside) 10.96.96.128 172.17.47.128 netmask 255.255.255.128

You may augment nat and static entries with access-lists to include the remote part of the communication into the nat decision.

Reply to
Lutz Donnerhacke

That did the trick; thanks a lot!! I thought I should be able to do it with proper netmask settings, but couldn't figure out the details.

Reply to
David Kerber

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.