topic Note the NAT precedence below in Network Security

Incoming Destination policy NAT

ryancisco01 — Tue, 12 Mar 2019 06:40:32 GMT

Hi guys, what i am trying to achieve is this: (I need ot be able to control the destination IP based on the source IP)

ASA 8.2

Source: 7.7.7.7 (host out on the internet - outside interface)

Destination: 1.1.1.1 (fake server Ip address on my firewall)

port: 1234

translate that to:

Source: original

Destination: 192.168.1.1 (real server IP -inside interface)

port: 1234

AND

Source: 9.9.9.9 (host out on the internet - outside interface)

Destination: 1.1.1.1 (same fake destination)

port: 1222

translate that to:

Source: original

Destination: 192.168.1.2 (another real server IP -inside interface)

port: 1222

Anything else coming to 1.1.1.1 should not be natted.

I can achieve that okay, but here is the part I am stuick with, I also need the NAT to work like a static NAT so traffic in other direction will also work:

Source: 192.168.1.1

Destination: 7.7.7.7

port: 1234

translate that to:

Source: 1.1.1.1

Destination: 7.7.7.7

port: 1234

AND

Source: 192.168.1.2

Destination: 9.9.9.9 (same fake destination)

port: 1222

translate that to:

Source: 1.1.1.1

Destination: 9.9.9.9 (another real server IP -inside interface)

port: 1222

Thanks in advance!

Note the NAT precedence below

Lovleen Arora — Wed, 30 Sep 2015 23:23:31 GMT

Note the NAT precedence below:

To achieve what you have mentioned in addition to the inbound policy NAT,

just a simple dynamic NAT to the 1.1.1.1 public IP (Private range 192.168.1.1 and 1.2) would give you the required result.

As per cisco asa 8.2 commands below (x is the nat id)

nat (inside) x 192.168.1.0 255.255.255.252.

global (outside) x 1.1.1.1

Please mark answer as correct if it works for you.

If that doesn't work, then let me know I have another workaround that you may want to try.

Excellent thank you that

ryancisco01 — Thu, 01 Oct 2015 02:25:27 GMT

Excellent thank you that seems like a simple answer!

Okay unfortunately though I was wrong about the incoming working, i just used packet tracer and I am getting a "no matching global" error for this:

access-list DESTINATION-PAT extended permit tcp host 7.7.7.7 host 1.1.1.1 eq 23

nat (outside) 7 access-list DESTINATION-PAT outside
global (prod) 7 192.168.1.1

Just to be clear for what I am trying to achieve, I just want incoming traffic that matches this ACL to be destination natted to the real address (no source nattign required)

Why am I getting a no matching global pool in packet tracer? and reason i can't do a simple static is because I will also extend this to say from 8.8.8.8 to 1.1.1.1 dnat to 192.168.1.2 etc

anyone have any ideas?

ryancisco01 — Fri, 02 Oct 2015 00:52:18 GMT

anyone have any ideas?