Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
3
Replies

Twice NAT due to asymmetric routing

jamescox3
Level 1
Level 1

‎09-24-2014 07:15 AM - edited ‎03-11-2019 09:49 PM

I have a business requirement that has traffic for an application going through firewall A and web traffic through firewall B. Due to specilized routing need for this application, if a user outside the network tries to access our public facing web servers we end up with the traffic entering firewall B and leaving firewall A, so asymmetric routing.

 

What I would like to do is bring in all traffic coming from 123.123.123.0/24 (outside) destined for 222.222.222.222 (NATed to 11.11.11.11 inside) and NAT it to those external address to 10.10.10.0/24.

 

I think that this is a twice NAT but haven't been able to follow the Cisco examples as they are taking a internal host and NATing them outbound, I'm looking to do the reverse.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎09-24-2014 07:35 AM

Hi,

 

You did not mention the software version of your ASA. Twice NAT is easier and more common on the 8.3+ software levels.

 

So if I understood correctly the internal server should be NATed to 222.222.222.222 from the real IP address 11.11.11.11 and the external source subnet 123.123.123.0/24 should be NATed to 10.10.10.0/24 when connecting to the menioned NAT IP address of 222.222.222.222?

 

If so then the configuration in 8.3+ format could be

 

object network SERVER-REAL
 host 11.11.11.11

 

object network SERVER-MAPPED
 host 222.222.222.22

 

object network EXT-SUBNET-REAL
 subnet 123.123.123.0 255.255.255.0

 

object network EXT-SUBNET-MAPPED
 subnet 10.10.10.0 255.255.255.0

 

nat (inside,outside) source static SERVER-REAL SERVER-MAPPED destination static EXT-SUBNET-MAPPED EXT-SUBNET-REAL

 

Naturally the above "object" names are more meant to give you an idea of what purpose they hold. A better naming policy could surely be used. :)

 

The above NAT configuration would do a 1:1 Static NAT for the source addresses as the real and mapped subnet are of equal size. You could change this to Dynamic PAT if the actual situation holds different size subnets.

 

Hope this helps :)

 

- Jouni

0 Helpful

jamescox3
Level 1
Level 1
In response to Jouni Forss

‎09-24-2014 07:43 AM

We are currently running 8.4.2, this head cold is preventing me from remembering vital details today.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to jamescox3

‎09-24-2014 07:46 AM

Hi,

 

In that case your ASA should support the above configuration format.

 

Naturally I don't know what the interfaces are called on your ASA. Also I personally like to look at the big picture especially when doing any special NAT configurations. Just so that I don't mess anything up :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card