https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851588#M460272 <HTML><HEAD></HEAD><BODY><P>Hello Clayton,</P><P></P><P>If you do this: </P><P>static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255</P><P>That would be a permanent static one to one translation so inbound an outbound connections from that server will be seeing at 10.60.60.60.</P><P></P><P>Regards,</P><P></P><P>Do rate helpful posts</P><P></P><P>Julio</P></BODY></HTML> Wed, 01 Feb 2012 20:12:11 GMT Julio Carvajal 2012-02-01T20:12:11Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851587#M460271 <P>I want to configure a NAT Statement on a FWSM so that traffic initiated by an end user to a server with an IP Address of 10.20.x.x network will access it via a corresponding 10.60.x.x address.&nbsp; But, I want all communications initiated by the server to stay at its original IP Address. </P><P></P><P>Therefore I have a End User trying to access a server.&nbsp; User will type in 10.60.x.x, this hits the FWSM and changes the 10.60.x.x to 10.20.x.x</P><P>The return traffic will go back to the user as 10.60.x.x.</P><P>But, that server trying to access the internet, will source as 10.20.x.x and will continue its journey as 10.20.x.x</P><P></P><P>How is this configured?&nbsp; Would it be:</P><P>static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255</P> Mon, 11 Mar 2019 22:22:32 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851587#M460271 clayton.buckwalter 2019-03-11T22:22:32Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851588#M460272 <HTML><HEAD></HEAD><BODY><P>Hello Clayton,</P><P></P><P>If you do this: </P><P>static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255</P><P>That would be a permanent static one to one translation so inbound an outbound connections from that server will be seeing at 10.60.60.60.</P><P></P><P>Regards,</P><P></P><P>Do rate helpful posts</P><P></P><P>Julio</P></BODY></HTML> Wed, 01 Feb 2012 20:12:11 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851588#M460272 Julio Carvajal 2012-02-01T20:12:11Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851589#M460273 <HTML><HEAD></HEAD><BODY><P>Hello Clayton,</P><P></P><P>Now here is what you can try:</P><P></P><P>access-list NAT&nbsp; extended permit ip host 10.60.60.60 any</P><P></P><P>static (inside,outside) 10.20.60.60 10.20.60.60</P><P> static (inside,outside) 10.60.60.60 access-list NAT</P><P></P><P>That should do it!</P><P></P><P>Do rate all the helpful posts.</P><P></P><P>Julio</P></BODY></HTML> Wed, 01 Feb 2012 20:19:10 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851589#M460273 Julio Carvajal 2012-02-01T20:19:10Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851590#M460274 <HTML><HEAD></HEAD><BODY><P>I am not sure if I am reading this correctly.</P><P></P><P>Would you want the ACL to be </P><P>&nbsp;&nbsp;&nbsp;&nbsp; access-list NAT extended permit ip any host 10.60.60.60&nbsp;&nbsp;&nbsp;&nbsp; (for any user trying to access the server?)</P><P>Also for the&nbsp; "static (inside,outside) 10.60.60.60 access-list NAT"</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Would you want it to read static (inside,outside) 10.20.60.60 access-list NAT&nbsp; (so that the traffic NAT's to the 10.20.60.60 address)</P><P></P><P>This would make the lines:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; access-list NAT extended permit ip any host 10.60.60.60</P><P>&nbsp;&nbsp;&nbsp;&nbsp; static (inside,outside) 10.20.60.60 10.20.60.60</P><P>&nbsp;&nbsp;&nbsp;&nbsp; static (inside,outside) 10.20.60.60 access-list NAT</P><P></P><P></P><P>Also, if I can perform it in this manner, is "static (inside,outside) 10.20.60.60 10.20.60.60" needed?&nbsp; </P><P>The ACL is specifying direction, therefore it should not be hit if traffic is sourcing from 10.20.60.60</P><P></P><P>Or am I completely off base here?</P><P></P><P>Thanks,</P><P>Clayton</P></BODY></HTML> Wed, 01 Feb 2012 20:39:53 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851590#M460274 clayton.buckwalter 2012-02-01T20:39:53Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851591#M460277 <HTML><HEAD></HEAD><BODY><P>Hello Clayton,</P><P></P><P>You want the outside users to access 10.60.60.60 and get translated to 10.20.60.60</P><P>But you also want the user 10.20.60.60 to be natted or no-nated if he starts the connection.</P><P></P><P>This is not supported but we are doing a trick here to do it.</P><P></P><P>static (inside,outside) 10.20.60.60 access-list NAT is need it for outbound connections.</P><P>Static (inside,outside) 10.20.60.60 10.20.60.60 is need it for the inbound connections.</P><P></P><P>To test it.</P><P>Packet-tracer input inside tcp 10.20.60.60 1025 4.2.2.2 80</P><P>You should see here the NAT with the ACL.</P><P></P><P>Packet-tracer input outside tcp 4.2.2.2 1025 10.60.60.60 80</P><P>You should see the identity nat or No-nat.</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P>Do rate helpful posts!!</P></BODY></HTML> Wed, 01 Feb 2012 20:58:45 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851591#M460277 Julio Carvajal 2012-02-01T20:58:45Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851592#M460278 <HTML><HEAD></HEAD><BODY><P>Would instead of having </P><P>static (inside,outside) 10.20.60.60 access-list NAT</P><P></P><P>could I instead have</P><P>nat (inside) 0 10.20.60.60 255.255.255.255 0 0</P><P></P><P>or would the first static take presidence over the generic?</P><P></P><P>Thanks again,</P><P>Clayton</P></BODY></HTML> Thu, 02 Feb 2012 15:19:58 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851592#M460278 clayton.buckwalter 2012-02-02T15:19:58Z https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851593#M460279 <HTML><HEAD></HEAD><BODY><P>Hello Clayton,</P><P></P><P>The Nat order on 8.2 is :</P><P>1. NAT exemption—In order, until the first match.</P><P>2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT</P><P>is included in this category.</P><P>3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.</P><P>4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of</P><P>the NAT rules does not matter; the NAT rule that best matches the real address is used. For example,</P><P>you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to</P><P>translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to</P><P>translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used</P><P>because it matches the real address best. We do not recommend using overlapping rules; they use</P><P>more memory and can slow the performance of the ASA. </P><P></P><P>Did you try it with the suggestions I sent you??</P><P></P><P>Regards,</P><P></P><P></P><P>Julio</P></BODY></HTML> Thu, 02 Feb 2012 18:55:49 GMT https://community.cisco.com/t5/network-security/one-direction-nat-on-fwsm/m-p/1851593#M460279 Julio Carvajal 2012-02-02T18:55:49Z