cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


61
Views
0
Helpful
0
Replies
Highlighted
Beginner

Static nat policy question - different external destinations

Maybe (hopefully) someone can either help me with or clarify limitations of Cisco ASA static nat policy on FWSM 4.1.4 (in transparent).

I am trying to setup a static policy nat for port forwarding (redirection) and suppose I'm asking too much.

  • I want traffic coming from sources "a", "b", and "c" to a single public destination (1.2.3.4) on port 443 to go to internal/translated address 3.3.3.3 port 443.
  • I want traffic coming from sources "d", "e", and "f" to a single public destination (1.2.3.4) on port 443 to go to internal/translated address 4.4.4.4 port 443.

This doesn't seem to be possible on the FWSM since creating the second above static policy after creating the first one results in complaints about the address already being in use by the first policy.

Additionally, and this is the part that has me stumped, when I create the first static nat policy using the ASDM and place a network group (with a,b,c in it) into the "destination" field, the FWSM translates ANY IP address with the rule, not just external a,b,c...  What is the point of the "destination" field if the static policy doesn't obey it???

BTW, I've also tried this from the cli by creating an entirely different access list rather than the ootb inside_nat_static, it gave me the same complaint about having duplicate addresses.  I've seen something about FWSM not supporting source NAT'ing, not sure if this is exactly that...