Destination NAT for multiple Destinations

NeWGuy1109 · ‎03-19-2020

I have a requirement where i need to configure Destination NAT for 200 hosts in Cisco ASA.. all these are running separate applications therefore one to one DNAT is mandatory. Instead of configuring 200 NAT rules is there any way to include all these in a single NAT rule ?

Src ; 192.168.1.0/24 Original Destination - 10.10.10.2-201 , Translated Destination - 215.16.1.2-215.16.1.201

balaji.bandi · ‎03-19-2020

Look at the below example help you :

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NeWGuy1109 · ‎03-19-2020

I am not sure it can be done for one to one dedicated NAT translation... Dynamic NAT will assign it to a whatever available IP is in the Group.. Pls correct me if i am wrong

balaji.bandi · ‎03-19-2020

If you looking range of IP NAT, you going to have dynamic nat 1 to 1 based on available for outgoing.

if you looking 1 to 1 static nat for incoming, you need to make necessary reserve rule for those.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cristian Matei · ‎03-19-2020

Hi,

Configure the following on the ASA, replace the object name and the interface names. Ensure to have the exact same number of IP's in the real object as in the mapped object, if you want to preserve the host address:

object network INSIDE_LOCAL

subnet 192.168.1.0 255.255.255.0

!

object network INSIDE_GLOBAL

subnet 10.10.10.0 255.255.255.0

!

nat (inside,outside) 1 source static INSIDE_LOCAL INSIDE_GLOBAL

The above configuration means the NAT'ing happens like that, for those sources, regardless of the destination. In case you want this NAT to happen only when traffic is destined to specific IP's, you need to also configure the "destination static" part to the twice nat statement.

Regards,

Cristian Matei.

NeWGuy1109 · ‎03-19-2020

I am only looking to nat the outgoing traffic... where the entire source
subnet will be hide NAT on a single Ip..and for destination i need 1 to 1
translation for 200 IPs.

Cristian Matei · ‎03-20-2020

Hi,

Yes, i understood what you're looking for, i offered you the working config with using object-nat, which is the recommended way for what you're looking for. With the provided config, you will have a one-to-one-mapping, with host preservation between 10.10.10.x/24 and 20.20.20.x/24; being a static NAT, it means it's gonna work bidirectionally:

- traffic source from the inside, from 10.10.10.x, when routed outside it gets source NAT'ed into 20.20.2.x

- traffic sourced from outside and destined to 20.20.20.x, when routed on the inside it gets destination NAT'ed into 10.10.10.x

Traffic being allowed to flow in either way, is controlled by your security-levels, security-zones, and ACL's.

Regards,

Cristian Matei.

Spooster IT Services · ‎03-20-2020

Hello Secure MS10,

Unfortunately, there is no such solution you are looking for. You need to add a static entry for each Internal IP. For example, if you looking for 1 to 1 NAT for 200 IPs then you need to add 200 entries and allow specific traffic using ACL on the outside interface.

Please rate if you find my answer useful.

Spooster IT Services Team

Cristian Matei · ‎03-21-2020

Hi,

@Spooster IT Services This is not correct, test the config i posted above, you will see it working. You can do network-to-network static NAT as i outlined.

Regards,

Cristian Matei.