Skip to main content

 

 

Cisco Defense Orchestrator

Translate a Range of Private IP Addresses to a Range of Public IP Addresses

About this Use Case

Use this approach if you have a group of specific device types, or user types, that need to have their IP addresses translated to a specific range so that the receiving devices (the devices on the other end of the transaction) allow the traffic in.

Prerequisite

Create a network object for the pool of private IP addresses you want to translate and create a network object for the pool of public addresses you want to translate those private IP addresses into.

For the ASA, the "original address" pool, (the pool of private IP addresses you want to translate) can be a network object with a range of addresses, a network object that defines a subnet, or a network group that includes all the addresses in the pool. For the FTD, the "original address" pool can be a network object that defines a subnet or a network group that includes all the addresses in the pool.

Note: For both the ASA and FTD, the network group that defines the pool of "translated address" cannot be a network object that defines a subnet.

When creating these address pools, for ASAs, use Create or Edit ASA Network Objects and Network Groups and for FTDs, use Create or Edit a Firepower Network Object or Network Group for instructions.

For the sake of the following procedure, we named the pool of private addresses, inside_pool and name the pool of public addresses, outside_pool. 

Translate a Pool of Inside Addresses to a Pool of Outside Addresses

  1. From the Devices & Services page, select the device for which you want to create the network address translation (NAT) rule.
  2. Click NAT in the Management pane at the right.
  3. Click blue_cross_button.png > Network Object NAT
  4. In section 1, Type, select Dynamic and click Continue.
  5. In section 2, Interfaces, set the source interface to inside and the destination interface to outside. Click Continue.
  6. In section 3, Packets, perform these tasks:
  • For the Original Address, click Choose and then select the inside_pool network object (or network group) you made in the prerequisites section above.
  • For the Translated Address, click Choose and then select the outside_pool network object (or network group) you made in the prerequisites section above.
  1. Skip section 4, Advanced.
  2. For Firepower Threat Defense (FTD), in section 5, Name, give the NAT rule a name.
  3. Click Save.
  4. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Entries in the ASA's Saved Configuration File

These are the entries that would appear in an ASA's saved configuration file as a result of these procedures.

Note: This does not apply to FTD devices.

Objects created by this procedure

object network outside_pool

   range 209.165.1.1 209.165.1.255

object network inside_pool

   range 10.1.1.1 10.1.1.255

NAT rule created by this procedure

object network inside_pool

   nat (inside,outside) dynamic outside_pool