ASA 8.0 Nat 1 machine to 1 IP, dynamic the rest?

tahequivoice · ‎10-16-2012

On8.3/8.4 I can setup a translation to translate an internal host to another outside IP addres, only for connecting to one outside host, and the rest of the translations to outside are done dynamic using the outside IP.

Can this be done on 8.0 code?

Jennifer Halim · ‎10-16-2012

Sure can...

Example:

internal host: 10.1.1.1

destination: 200.1.1.1

to be PATed to: 80.1.1.1

access-list nat-10 permit ip host 10.1.1.1 host 200.1.1.1

nat (inside) 5 access-list nat-10

global (outside) 5 80.1.1.1

With NAT statement, the more specific one will take precedence over the less specific ones.

tahequivoice · ‎10-23-2012

Hi I tried this, and I can see the ARP entry externally, but I can not reach the outside IP from the server. Is the connection initiated internally for this?

Jennifer Halim · ‎10-23-2012

Yes, nat/global pair is intended for outbound only connection (initiated from inside).

If you need both inbound and outbound connection for this, you would need to configure static policy NAT as follows:

access-list nat-10 permit ip host 10.1.1.1 host 200.1.1.1

static (inside,outside) 80.1.1.1 access-list nat-10

and you would need to remove the above nat and global statement, and "clear xlate".