topic NAT 8.0 in Network Security

NAT 8.0

jack samuel — Mon, 11 Mar 2019 22:48:49 GMT

Friends,

I have a strange question here please bare with me if it is funny but it is woking live with thirdparty firewall which is going to be replaced by the ASA.

Third party firewall is working with below policy and i want to do it in ASA 8.0:

i have a server in my internal network 192.168.1.1 which accepts only specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a port 2445 . The connection is initiating from extranet with source ip address 172.16.10.0/24 to destination virtual IP 192.168.100.1 on a port 2445 which is then directing traffic to inside server 192.168.1.1 with a source ip address from the pool mentioned above.

This means the thirdy party firewall is doing the destination NAT and the source NAT which are both merged togther to one flow to achieve the customer requirement,

Can anybody write for me the configs pls.i hope it is a concept of twice nat but how to achieve this in 8.0

NAT 8.0

Jouni Forss — Fri, 30 Mar 2012 05:33:42 GMT

Hi,

It seems to me that you would need 8.3 software at minimum to achieve that with a single NAT configuration.

I mean when the change of ASA software went from 8.2 -> 8.3 you were now able to NAT both the source and destination IP/network

Heres an example configuration

object network REAL-SOURCE

subnet 172.16.10.0 255.255.255.0

object network MAPPED-SOURCE

subnet 192.168.10.0 255.255.255.0

object network REAL-DESTINATION

host 192.168.1.1

object network MAPPED-DESTINATION

host 192.168.100.1

nat (USERS,SERVER) source static REAL-SOURCE MAPPED-SOURCE destination static MAPPED-DESTINATION REAL-DESTINATION

To my understanding that would mean that while connecting from interface USERS (172.16.10.0/24) to the MAPPED-DESTINATION host on interface SERVER (192.168.100.1) the ASA firewall would NAT your traffic from network 172.16.10.0/24 to network 192.168.10.0/24 while connecting to the actual REAL-DESTINATION address (192.168.1.1)

I'm not sure if theres any way to do it in older software.

Gotta get my morning coffee and think about it after that My head doesnt always work in the morning

Hope this helps

- Jouni

NAT 8.0

malikyounas — Fri, 30 Mar 2012 10:15:50 GMT

Well, you can do this in 8.0, give this a try

These access list define what to NAT

access-list outnat extended permit ip host 192.168.1.1 192.168.10.0 255.255.255.0

access-list innat extended permit tcp 172.16.10.0 255.255.255.0 host 192.168.100.1 eq telnet

Here is your pool of addresses and NAT statement for it

global (inside) 1 192.168.10.1-192.168.10.100

nat (extranet) 1 access-list innat outside

Here is the Static NAT statement to map 192.168.1.1 to 192.168.100.1

static (inside,extranet) 192.168.100.1 access-list outnat