10-04-2015 12:42 PM - edited 03-11-2019 11:41 PM
Hi,
I am trying to figure out how can I NAT the source IP address of Outside hosts in the ASA when they try to access a router located in the Inside network so that I do not have to put a route pointing back for those Outside subnet's in the router.
So what I have done till now :
| | 200.200.200.100 200.200.200.3 cloud
Router ----------- | ASA |-------------------------------------------------------------- Internet Router --------------------- Outside client ( 144.x.x.x)
10.0.0.5 .100 | |
Static NAT nat(Inside,Outside) source static 10.0.0.5 200.200.200.100
access-list <Client Name> extended permit tcp 144.x.x.x 255.x.x.x 10.0.0.5
access-group <Client Name> in interface Outside
I dont want to put a reverse static route in Inside router for 144.x.x.x next hop 10.0.0.100 (ASA Inside)
so when the packet from outside comes in the 144.x.x.x needs to be replaced by a 10.0.0.x IP
The code which i am running is 8.4 and i am getting lost in the documentation.
Any help highly appreciated
Solved! Go to Solution.
10-05-2015 11:15 AM
Instead of creating a static route for all traffic you could create a route map which only applies to traffic sourced from the router (probably a loop back interface) going to the 144.0.0.0/8. It sounds like what your trying to do is get around the fact that you're doing asymmetric routing. Unless there's some IPSEC site to site VPN need for outside to inside natting I never configure things this way.
I suppose something like the following may work the way you want but haven't tried it before.
object network outside_router_natted_ip
host 2200.200.200.100
object network inside_router_ip
host 10.0.0.5
nat (inside,outside) static outside_router_natted_ip
object network 144.x.x.x_hosts
subnet 144.0.0.0 255.0.0.0
nat (ouside,inside) dynamic interface
10-05-2015 11:15 AM
Instead of creating a static route for all traffic you could create a route map which only applies to traffic sourced from the router (probably a loop back interface) going to the 144.0.0.0/8. It sounds like what your trying to do is get around the fact that you're doing asymmetric routing. Unless there's some IPSEC site to site VPN need for outside to inside natting I never configure things this way.
I suppose something like the following may work the way you want but haven't tried it before.
object network outside_router_natted_ip
host 2200.200.200.100
object network inside_router_ip
host 10.0.0.5
nat (inside,outside) static outside_router_natted_ip
object network 144.x.x.x_hosts
subnet 144.0.0.0 255.0.0.0
nat (ouside,inside) dynamic interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide