Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
4
Replies

8.2 NAT to one IP?

Go to solution
tahequivoice
Level 2
Level 2

‎11-11-2013 06:03 AM - edited ‎03-11-2019 08:03 PM

I probably have done this before, but can't remember how.  On 8.4 code, if I want to nat a server to be seen by only one external IP by a certian IP, but dynamic to all else, easy to do.

10.10.0.4 > 10.100.100.3, translated to outside 192.168.100.4.

10.10.0.4 > 0.0.0.0, translated dynamic outside interface

I dont remember how I was able to do this on 8.2 code.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-11-2013 06:10 AM

Hi,

I guess you would be talking about Static Policy NAT? I imagine your aim is to translate the host 10.10.0.4 to IP address 192.168.100.4 when the host 10.10.0.4 is connecting to host 10.100.100.3 and all other traffic should match the default Dynamic PAT configuration?

If the above mentioned situation applies then the configuration would be this

access-list STATIC-POLICY-NAT remark Static Policy NAT 10.10.0.4 -> 10.100.100.3

access-list STATIC-POLICY-NAT permit ip host 10.10.0.4 host 10.100.100.3

static (inside,outside) 192.168.100.4 access-list STATIC-POLICY-NAT

The "access-list" defines when the translation should be performed and the "static" command applies that "access-list" in an actual translation configuration.

Only thing to consider with this type of configuration and the software levels 8.2 (and lower) is the fact that IF you had a Static NAT for this internal host towards the same external interface then you would have to insert the above configuration and then remove the Static NAT and enter the Static NAT again. The reason is that Static NAT and Static Policy NAT are treated equally by the ASA. The order of the commands therefore decides which "static" configuration is applied. The earlier change is meant to change the order in the CLI configuration.

Though in your case you said there is only Dynamic PAT/NAT so it should not be a problem. Thought I'd still mention it just incase

With regards to the actual configuration above you can naturally switch the ACL name and use the "remark" line or not

Hope this helps

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-11-2013 06:10 AM

Hi,

I guess you would be talking about Static Policy NAT? I imagine your aim is to translate the host 10.10.0.4 to IP address 192.168.100.4 when the host 10.10.0.4 is connecting to host 10.100.100.3 and all other traffic should match the default Dynamic PAT configuration?

If the above mentioned situation applies then the configuration would be this

access-list STATIC-POLICY-NAT remark Static Policy NAT 10.10.0.4 -> 10.100.100.3

access-list STATIC-POLICY-NAT permit ip host 10.10.0.4 host 10.100.100.3

static (inside,outside) 192.168.100.4 access-list STATIC-POLICY-NAT

The "access-list" defines when the translation should be performed and the "static" command applies that "access-list" in an actual translation configuration.

Only thing to consider with this type of configuration and the software levels 8.2 (and lower) is the fact that IF you had a Static NAT for this internal host towards the same external interface then you would have to insert the above configuration and then remove the Static NAT and enter the Static NAT again. The reason is that Static NAT and Static Policy NAT are treated equally by the ASA. The order of the commands therefore decides which "static" configuration is applied. The earlier change is meant to change the order in the CLI configuration.

Though in your case you said there is only Dynamic PAT/NAT so it should not be a problem. Thought I'd still mention it just incase

With regards to the actual configuration above you can naturally switch the ACL name and use the "remark" line or not

Hope this helps

- Jouni

0 Helpful

Go to solution
tahequivoice
Level 2
Level 2
In response to Jouni Forss

‎11-11-2013 06:18 AM

That looks familiar, I will give it a try, Thanks!

0 Helpful

Go to solution
tahequivoice
Level 2
Level 2
In response to Jouni Forss

‎11-11-2013 06:36 AM

That was exactly what I was looking for, worked as I had hoped it would. Thinking back, I had done this before, but for the opposite thing, to use the inside IP of the ASA in the rewrite so the internal server could respoind to it and not its default.

Thanks, 5 Stars!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tahequivoice

‎11-11-2013 06:40 AM

Hi,

Great to hear its working

Thank you for marking the correct answer.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card