mattsthe2mattsthe2 Member Posts: 304
How would one create a static NAT for an outside address that doesnt exist on the ASA?

The scanaorio is that i have a Public Netblock for my company. We'll say its

My edge router is advertising this out to the ISP's via BGP.
The network that connects my Edge router to my ASA is = Outside ASA port = FastEth port on edge router point to ASA.

I then have my DMZ and Inside networks on the ASA which are not applicable.

My VPN termination is done on the outside ASA port and i need to NAT my outside public address to

I hope this all makes sense.


  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    There are a couple of ways to handle it.
    If there won't be a problem with NAT (e.g. running PAT without NAT-T or some other form of encapsulation) you could NAT on the edge router.

    On the ASA you can create a static translation from the inside-outside for the public IP and host-route on your edge router to the ASA for that address. The ASA will accept the traffic (ACL's allowing). I don't think that will work for VPN termination on the appliance itself though, even though it will NAT and accept the traffic low it is not an address it can bind it's own services to - it's only of use for devices behind it (just illustrating the point that yes you can NAT for addresses that aren't in the same space as the interface itself)
    You could do router on a stick for your internet segment - put a public IP on your ASA as either a vlan subinterface or if you have a physical to use and put it in the same VLAN/Segment as your router (you may have to jiggle the router a little to split the public subnet so it has an ethernet port in a pub range aswell as whatever WAN circuit you are using - e.g. set the wan interface to , ethernet interface to, set a statict route on your Router for anything ASA bound to it's pub IP, on the ASA set the ethernet Pub IP of the router as your gateway. Essentially you bounce traffic over your public IP space between the router and ASA.
    This way the ASA is still 'behind' your router's BGP advertizement (even though it's parallel in addressing)

    Something like:

    Router T1 WAN :
    Router ETH :
    ASA :

    Router route to internal subnets ->
    Router default to ISP gateway
    ASA default to

    Incoming VPN traffic hits your router on, is routed out the ethernet segment to No NAT in the way. Outgoing is sent from the ASA to, then switched internally on the router to the WAN circuit.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.