Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11348
Views
0
Helpful
5
Replies

How to configure destination NAT in Cisco ASA Firewall?

shunmubala
Level 1
Level 1

‎01-12-2017 04:53 AM - edited ‎03-12-2019 01:46 AM

Hi Peers

I have a 2 Cisco ASA Firewalls, each in separate sites i.e. Site1 and Site2 that is running site-to-site vpn. This is working fine. Both the LANs are able to ping each other.

Site1 LAN Network Address : 10.10.10.0/24

Site2 LAN Network Address : 20.20.20.0/24

At present, from a workstation in Site1, for example 10.10.10.50, wants to communicate with a workstation in Site2, for example 20.20.20.50, this works fine because my site-to-site VPN is UP and working well.

Now I have been given a new requirment. From 10.10.10.50, if it wants to talk to 20.20.20.50, the IP 10.10.10.50 must talk to 10.10.10.150. The Cisco ASA FW in Site1 must see that the destination is 10.10.10.150 and translate that destination to 20.20.20.50.

Basically, Site1 LAN users will communicate with 10.10.10.150, and they won't know the IP 20.20.20.50. Hence, what I want to achieve here is destination NAT. The source IP remains, no change, only destination. I know I need to configure the destionation NAT on  Cisco ASA FW in Site1 but I don't know the command. 

can someone point me in the right direction, pleaseeeeee :-)

Labels:
0 Helpful
5 Replies 5

oloyede29
Level 1
Level 1

‎01-12-2017 07:00 AM

Do you mean static nat

you could have this on your asa 1


nat (inside,outside) source static 10.10.10.150 10.10.10.150 destination static 20.20.20.50 20.20.20.50

asa 2

nat (inside,outside) source static 20.20.20.50 20.20.20.50 destination static 10.10.10.150 10.10.10.150

hope it works

0 Helpful

shunmubala
Level 1
Level 1
In response to oloyede29

‎01-13-2017 01:37 AM

Hi Sir
Thanks for your reply. Just to clarify, I'm using Cisco ASA 5520 v8.2. Hence, can I confirm the following solution;

ASA1 in Site1
static (inside,outside) 20.20.20.50 10.10.10.150 netmask 255.255.255.255

ASA2 in Site2
static (inside,outside) 10.10.10.150 20.20.20.50 netmask 255.255.255.255

Please kindly confirm, sir.

0 Helpful

oloyede29
Level 1
Level 1
In response to shunmubala

‎01-13-2017 02:17 AM

since you are using 8.2 version the above configuration will not suffice as this will only work on 8.4 upward can u post ur current nat configuration

0 Helpful

Farhan Mohamed
Cisco Employee
Cisco Employee

‎01-13-2017 06:19 AM

you could have this on your asa 1


nat (inside,outside) source static 10.10.10.150 10.10.10.150 destination static 20.20.20.50 20.20.20.50

asa 2

nat (inside,outside) source static 20.20.20.50 20.20.20.50 destination static 10.10.10.150 10.10.10.150

hope it works

0 Helpful

ashish360gupta
Level 1
Level 1

‎04-17-2019 05:33 AM

nat (inside,outside) source static 10.10.10.50 10.10.10.50 destination static 10.10.10.150 20.20.20.50

 

asa 2

nat (inside,outside) source static 20.20.20.50 20.20.20.50 destination static 10.10.10.50 10.10.10.50

 

It will owrk I already implemented the same configuration in my Cisco 5516X firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card