03-18-2013 01:51 PM - edited 03-11-2019 06:15 PM
Hi everyone,
I have a question.
I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:
If I wanted this:
192.168.2.30:1234 to publicIP:1234
192.168.2.31:1234 to publicIP:1235
192.168.2.32:1234 to publicIP:1236
Any thoughts?
03-18-2013 02:08 PM
Its impossible to NAT multiple IP addresses to ONE IP address and keep the source port consistent. The Firewall/Router uses the source port to determine what server should get the return traffic.
So other than the 192.168.2.30:1234 --> publicIP:1234, the rest is pretty easy to do with a simply dynamic NAT:
nat (inside) 55 192.168.2.0 255.255.255.0
global (outside) 55
The "55" above just tie the "nat" command to the "global" command, feel free to use any you wish. Keep in mind, that this is only one directional. The hosts on the outside wouldn't be able to use the
Afterthought: I just re-read your post, and I may have misunderstood. Are you alraedy doing the NAT on the Router and just wish to pass the traffic through on the ASA? If so, NAT Exemption or Identity NAT is what you need -- or just disable nat-control.
03-19-2013 07:14 AM
Correct I am doing NAT currently on the 7100. I am trying to just pass the NAT translations though the ASA. Our situations is we have a small data center that we only have a few clients in at the moment. The ASA is our edge device, and is doing the routing for the data center currently. We have NAT translations on the ASA for other things but need these certain translations to be able to pass through the ASA no issue. If I understand correctly, disabling nat-control will disable it for everything correct? Is there a way to just allow these translations through?
Thank you for the quick response!
03-19-2013 07:25 AM
Hi,
Configuration format depends on your firewall software level
If you want to configure the ASA so that certain hosts with the public NAT IP from the router need to simply bypass any NAT on the ASA then you can configure NAT0 / NAT Exemption / Identity NAT as Eddie stated above.
The command "nat-control" is a global setting.
8.2 and older software level configuration format is
access-list INSIDE-NAT0 remark Bypass NAT for Internet host
access-list INSIDE-NAT0 permit ip host
access-list INSIDE-NAT0 permit ip host
nat (inside) 0 access-list INSIDE-NAT0
8.3 and newer software configuration format is
object-group network NAT0-SOURCE
network-object host
network-object host
nat (inside,outside) source static NAT0-SOURCE NAT0-SOURCE
- Jouni
03-19-2013 07:37 AM
Jouni,
Thank you for the response.
I will give that a try and see if it works!
For the post 8.3 commands, the nat is in the global config area correct? Or is it under that object?
Thank you,
Derrick
03-19-2013 07:42 AM
The 8.3+ configuration that I made in the previous reply is a Section 1 Twice NAT / Manual NAT type configuration.
So its not configured under any "object" but rather uses "object"/"object-group" as its parameters.
One of the reasons for this configuration format is also the fact that this will override any other NAT configurations from matching to this traffic.
Ofcourse the complete picture depends on your current NAT configuration on the ASA.
Also unless you have already done so, confirm that these public NAT IP addresses have routing configured on the upstream ISP router. The ISP has to have a route for these public IP addresses towards the ASA.
- Jouni
03-19-2013 07:54 AM
Alrighty thank you very much Jouni. I will check with all of this and see happens.
Thank you again,
Derrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide