https://community.cisco.com/t5/network-security/asa-hide-nat-while-using-inside-outside-static-nat/m-p/2683978#M191600 <P>Good day,</P><P>&nbsp;</P><P>Here is the issue we are trying to solve -</P><P>&nbsp;</P><P>Switching firewall devices, going to need to have same servers reply to two different firewalls; the servers have always been behind their ASA and replying to the internet for the global Source&nbsp;IPv4 Space.</P><P>&nbsp;</P><P>We want to keep that ASA online, but change the default route to the new firewall.</P><P>&nbsp;</P><P>old firewall 10.1.1.1</P><P>new firewall 10.1.1.10</P><P>&nbsp;</P><P>existing nat</P><P>&nbsp;</P><P>object network 10.1.1.15_Server1</P><P>host 10.1.1.15</P><P>nat (inside,outside) static 63.118.110.15</P><P>&nbsp;</P><P>this all works fine. however, we need to</P><P>&nbsp;</P><P>1) Keep this working as we bring new firewall online - so servers default gateway becomes 10.1.1.10</P><P>2) Keep replying to stuff coming in (do not need to originate NAT OUTBOUND, DO need to REPLY to our static IP's (i.e.&nbsp;63.118.110.15 for global services)</P><P>3) Can we AT THE SAME TIME NAT ALL SOURCE IP's for "the internet" to a single overload "HIDE NAT"</P><P>&nbsp;</P><P>here is what I&nbsp;tried</P><P>object network obj_any<BR />&nbsp;subnet 0.0.0.0 0.0.0.0</P><P>nat (outside,inside) dynamic 10.1.1.254</P><P>&nbsp;</P><P>The goal here is to allow us to keep BOTH firewalls ONLINE for a few months as we SLOWLY move public NAT's from The public ip's used on the old firewall to the new firewall.</P><P>And YES, connections made THROUGH the old firewall will look like they came from 10.1.1.254&nbsp;</P><P>but connections through the new firewall will look like their true source IP's (the ipv4 source on the internet)</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:56:00 GMT joe19366 2019-03-12T05:56:00Z https://community.cisco.com/t5/network-security/asa-hide-nat-while-using-inside-outside-static-nat/m-p/2683978#M191600 <P>Good day,</P><P>&nbsp;</P><P>Here is the issue we are trying to solve -</P><P>&nbsp;</P><P>Switching firewall devices, going to need to have same servers reply to two different firewalls; the servers have always been behind their ASA and replying to the internet for the global Source&nbsp;IPv4 Space.</P><P>&nbsp;</P><P>We want to keep that ASA online, but change the default route to the new firewall.</P><P>&nbsp;</P><P>old firewall 10.1.1.1</P><P>new firewall 10.1.1.10</P><P>&nbsp;</P><P>existing nat</P><P>&nbsp;</P><P>object network 10.1.1.15_Server1</P><P>host 10.1.1.15</P><P>nat (inside,outside) static 63.118.110.15</P><P>&nbsp;</P><P>this all works fine. however, we need to</P><P>&nbsp;</P><P>1) Keep this working as we bring new firewall online - so servers default gateway becomes 10.1.1.10</P><P>2) Keep replying to stuff coming in (do not need to originate NAT OUTBOUND, DO need to REPLY to our static IP's (i.e.&nbsp;63.118.110.15 for global services)</P><P>3) Can we AT THE SAME TIME NAT ALL SOURCE IP's for "the internet" to a single overload "HIDE NAT"</P><P>&nbsp;</P><P>here is what I&nbsp;tried</P><P>object network obj_any<BR />&nbsp;subnet 0.0.0.0 0.0.0.0</P><P>nat (outside,inside) dynamic 10.1.1.254</P><P>&nbsp;</P><P>The goal here is to allow us to keep BOTH firewalls ONLINE for a few months as we SLOWLY move public NAT's from The public ip's used on the old firewall to the new firewall.</P><P>And YES, connections made THROUGH the old firewall will look like they came from 10.1.1.254&nbsp;</P><P>but connections through the new firewall will look like their true source IP's (the ipv4 source on the internet)</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:56:00 GMT https://community.cisco.com/t5/network-security/asa-hide-nat-while-using-inside-outside-static-nat/m-p/2683978#M191600 joe19366 2019-03-12T05:56:00Z https://community.cisco.com/t5/network-security/asa-hide-nat-while-using-inside-outside-static-nat/m-p/2683979#M191603 <P>Hi,</P><P>I don't think the Dynamic NAT will fulfill the requirement. Also , if you keep both the ASA devices in network , you would certainly face issues with the Proxy-Arp on the ASA devices replying to the arp requests and that would cause Asymmetric routing and dropping the traffic on the ASA device.</P><P>I think the only workaround that you would be able to use will be to configure TCP state bypass on the ASA units.</P><P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Thu, 14 May 2015 03:44:27 GMT https://community.cisco.com/t5/network-security/asa-hide-nat-while-using-inside-outside-static-nat/m-p/2683979#M191603 Vibhor Amrodia 2015-05-14T03:44:27Z