https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181529#M359947 <HTML><HEAD></HEAD><BODY><P>Its impossible to NAT multiple IP addresses to ONE IP address and keep the source port consistent. The Firewall/Router uses the source port to determine what server should get the return traffic.</P><P></P><P>So other than the 192.168.2.30:1234 --&gt; publicIP:1234, the rest is pretty easy to do with a simply dynamic NAT:</P><P></P><P>nat (inside) 55 192.168.2.0 255.255.255.0</P><P>global (outside) 55 <PUBLICIP></PUBLICIP></P><P></P><P>The "55" above just tie the "nat" command to the "global" command, feel free to use any you wish.&nbsp; Keep in mind, that this is only one directional.&nbsp; The hosts on the outside wouldn't be able to use the <PUBLICIP> to access the servers individually.</PUBLICIP></P><P></P><P></P><P>Afterthought:&nbsp; I just re-read your post, and I may have misunderstood.&nbsp; Are you alraedy doing the NAT on the Router and just wish to pass the traffic through on the ASA?&nbsp; If so, NAT Exemption or Identity NAT is what you need -- or just disable nat-control.</P></BODY></HTML> Mon, 18 Mar 2013 21:08:54 GMT eddie.harmoush 2013-03-18T21:08:54Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181528#M359946 <P>Hi everyone,</P><P></P><P>I have a question.</P><P></P><P>I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:</P><P></P><P>If I wanted this:</P><P></P><P>192.168.2.30:1234 to publicIP:1234</P><P>192.168.2.31:1234 to publicIP:1235</P><P>192.168.2.32:1234 to publicIP:1236</P><P></P><P>Any thoughts?</P> Tue, 12 Mar 2019 01:15:44 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181528#M359946 derrmart 2019-03-12T01:15:44Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181529#M359947 <HTML><HEAD></HEAD><BODY><P>Its impossible to NAT multiple IP addresses to ONE IP address and keep the source port consistent. The Firewall/Router uses the source port to determine what server should get the return traffic.</P><P></P><P>So other than the 192.168.2.30:1234 --&gt; publicIP:1234, the rest is pretty easy to do with a simply dynamic NAT:</P><P></P><P>nat (inside) 55 192.168.2.0 255.255.255.0</P><P>global (outside) 55 <PUBLICIP></PUBLICIP></P><P></P><P>The "55" above just tie the "nat" command to the "global" command, feel free to use any you wish.&nbsp; Keep in mind, that this is only one directional.&nbsp; The hosts on the outside wouldn't be able to use the <PUBLICIP> to access the servers individually.</PUBLICIP></P><P></P><P></P><P>Afterthought:&nbsp; I just re-read your post, and I may have misunderstood.&nbsp; Are you alraedy doing the NAT on the Router and just wish to pass the traffic through on the ASA?&nbsp; If so, NAT Exemption or Identity NAT is what you need -- or just disable nat-control.</P></BODY></HTML> Mon, 18 Mar 2013 21:08:54 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181529#M359947 eddie.harmoush 2013-03-18T21:08:54Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181530#M359948 <HTML><HEAD></HEAD><BODY><P>Correct I am doing NAT currently on the 7100. I am trying to just pass the NAT translations though the ASA. Our situations is we have a small data center that we only have a few clients in at the moment. The ASA is our edge device, and is doing the routing for the data center currently. We have NAT translations on the ASA for other things but need these certain translations to be able to pass through the ASA no issue. If I understand correctly, disabling nat-control will disable it for everything correct? Is there a way to just allow these translations through?</P><P></P><P>Thank you for the quick response!</P></BODY></HTML> Tue, 19 Mar 2013 14:14:04 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181530#M359948 derrmart 2013-03-19T14:14:04Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181531#M359949 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Configuration format depends on your firewall software level</P><P></P><P>If you want to configure the ASA so that certain hosts with the public NAT IP from the router need to simply bypass any NAT on the ASA then you can configure NAT0 / NAT Exemption / Identity NAT as Eddie stated above.</P><P></P><P>The command "nat-control" is a global setting.</P><P></P><P></P><P><STRONG>8.2 and older software level configuration format is</STRONG></P><P></P><P>access-list INSIDE-NAT0 remark Bypass NAT for Internet host</P><P>access-list INSIDE-NAT0 permit ip host <NAT ip="" 1=""> any</NAT></P><P>access-list INSIDE-NAT0 permit ip host <NAT ip="" 2=""> any</NAT></P><P></P><P>nat (inside) 0 access-list INSIDE-NAT0</P><P></P><P></P><P><STRONG>8.3 and newer software configuration format is</STRONG></P><P></P><P>object-group network NAT0-SOURCE</P><P> network-object host <NAT ip="" 1=""></NAT></P><P> network-object host <NAT ip="" 2=""></NAT></P><P></P><P>nat (inside,outside) source static NAT0-SOURCE NAT0-SOURCE</P><P></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 19 Mar 2013 14:25:38 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181531#M359949 Jouni Forss 2013-03-19T14:25:38Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181532#M359950 <HTML><HEAD></HEAD><BODY><P>Jouni,</P><P></P><P>Thank you for the response.</P><P></P><P>I will give that a try and see if it works! </P><P></P><P>For the post 8.3 commands, the nat is in the global config area correct? Or is it under that object?</P><P></P><P>Thank you,</P><P></P><P>Derrick</P></BODY></HTML> Tue, 19 Mar 2013 14:37:36 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181532#M359950 derrmart 2013-03-19T14:37:36Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181533#M359951 <HTML><HEAD></HEAD><BODY><P>The 8.3+ configuration that I made in the previous reply is a Section 1 Twice NAT / Manual NAT type configuration.</P><P></P><P>So its not configured under any "object" but rather uses "object"/"object-group" as its parameters.</P><P></P><P>One of the reasons for this configuration format is also the fact that this will override any other NAT configurations from matching to this traffic.</P><P></P><P>Ofcourse the complete picture depends on your current NAT configuration on the ASA.</P><P></P><P>Also unless you have already done so, confirm that these public NAT IP addresses have routing configured on the upstream ISP router. The ISP has to have a route for these public IP addresses towards the ASA.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 19 Mar 2013 14:42:56 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181533#M359951 Jouni Forss 2013-03-19T14:42:56Z https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181534#M359952 <HTML><HEAD></HEAD><BODY><P>Alrighty thank you very much Jouni. I will check with all of this and see happens.</P><P></P><P>Thank you again,</P><P></P><P>Derrick</P></BODY></HTML> Tue, 19 Mar 2013 14:54:04 GMT https://community.cisco.com/t5/network-security/allowing-nat-pat-from-router-through-asa/m-p/2181534#M359952 derrmart 2013-03-19T14:54:04Z