Solved: Instead of creating a static

kaustav.gupta · ‎10-04-2015

Hi,

I am trying to figure out how can I NAT the source IP address of Outside hosts in the ASA when they try to access a router located in the Inside network so that I do not have to put a route pointing back for those Outside subnet's in the router.

So what I have done till now :

| | 200.200.200.100 200.200.200.3 cloud

Router ----------- | ASA |-------------------------------------------------------------- Internet Router --------------------- Outside client ( 144.x.x.x)

10.0.0.5 .100 | |

Static NAT nat(Inside,Outside) source static 10.0.0.5 200.200.200.100

access-list <Client Name> extended permit tcp 144.x.x.x 255.x.x.x 10.0.0.5

access-group <Client Name> in interface Outside

I dont want to put a reverse static route in Inside router for 144.x.x.x next hop 10.0.0.100 (ASA Inside)

so when the packet from outside comes in the 144.x.x.x needs to be replaced by a 10.0.0.x IP

The code which i am running is 8.4 and i am getting lost in the documentation.

Any help highly appreciated

Kyle Fine · ‎10-05-2015

Instead of creating a static route for all traffic you could create a route map which only applies to traffic sourced from the router (probably a loop back interface) going to the 144.0.0.0/8. It sounds like what your trying to do is get around the fact that you're doing asymmetric routing. Unless there's some IPSEC site to site VPN need for outside to inside natting I never configure things this way.

I suppose something like the following may work the way you want but haven't tried it before.

object network outside_router_natted_ip

host 2200.200.200.100

object network inside_router_ip

host 10.0.0.5

nat (inside,outside) static outside_router_natted_ip

object network 144.x.x.x_hosts

subnet 144.0.0.0 255.0.0.0

nat (ouside,inside) dynamic interface

View solution in original post

Kyle Fine · ‎10-05-2015