Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
2
Replies

Migrate multiple static NAT from Cisco ASA 7.x to Cisco IOS router

micromedicreturns
Level 1
Level 1

‎02-25-2012 09:29 AM - edited ‎03-11-2019 03:34 PM

Please assist in a design problem we have iminent.  I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration.  Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden.  For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why.  Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.

The ASA NAT config is below:

global (OUTSIDE) 1 interface
global (INSIDE) 1 interface
global (3RDPARTY) 1 interface
global (INTERNET) 1 interface
global (ADSL) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (3RDPARTY) 1 0.0.0.0 0.0.0.0
nat (WIRELESS) 0 access-list NO_NAT_WLS
nat (WIRELESS) 1 0.0.0.0 0.0.0.0
nat (VPN-TRANSIT) 0 access-list VPN-TRANSIT_nat0_outbound
nat (vlan99) 1 10.99.0.0 255.255.0.0
static (INSIDE,3RDPARTY) 172.31.45.98 10.111.0.104 netmask 255.255.255.255
static (WIRELESS,INSIDE) 10.111.1.0 192.168.27.0 netmask 255.255.255.0
static (INSIDE,WIRELESS) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (3RDPARTY,INSIDE) 10.110.0.15 172.31.45.100 netmask 255.255.255.255
static (WIRELESS,INSIDE) Handheld_nat Handheld netmask 255.255.255.255                                 

Is it possible all I need is static inside to outside statements, as they are two-way in IOS?  Any ideas or comments will be gratefully received!

Labels:
0 Helpful
2 Replies 2

game123
Level 1
Level 1

‎02-25-2012 11:34 PM

What is the exact problem you are facing in NAT ? Routers supports both static and dynamic NAT ?

And a router can have subinterfaces also ....

It is your choice and method how you want to deploy the settings ?

Give diagram or further details in table form to know more of your requirements ? 

NAT on router is avaailble even if you have basic IP BASE OS in router ?

0 Helpful

micromedicreturns
Level 1
Level 1
In response to game123

‎02-26-2012 05:21 AM

Thank you for your reply - I think at this stage I am just trying to verify some base NAT config that I should put on the router. I would post a problem with the functionality in a different discussion.

I was planning to use the "overload" command and an access-list identifying subnets to exclude and allow, to create dynamic NAT (PAT) on both the Public Internet and 3rd party interfaces (one statement for each interface). Then use some static NAT statements to map the host to host translations on the 172.31 (3rd party) and 10.110 & 10.111 (Inside private) subnets.

I undestand that an interface has to have either an "inside" or "outside" statement to participate in NAT, so I guess that I must assign the "outside" statement to the 3rd party interface, or else our internal 10.110 addresses will not be hidden.  I do not think it will be a problem, as I believe the 3rd party subnet does not need to access the Internet (presuming this would be impossible as they are both "outside" NAT interfaces?).

I have included a basic diagram of the target router.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card