ASA 8.3 configuration of double NAT (SRC and DST) question

joerggrau · ‎05-19-2011

I am setting up a new ASA running 8.3 and I am having problems with configuring double NATs.

Here is the thing I am trying to solve:

Original Packet

SRC: 1.1.1.1

DST: 1.1.1.10

After it hits the firewall and it comes out on the outside interface I want this:

SRC: 2.2.2.1

DST: 2.2.2.10

Now when I set this up the way I did in 8.0(4) it just ain't working.

All the NAT examples I can find are simple NATs, I have not been able to find an example of a SRC and DST NAT.

Any help would be appreciated.

Thanks

Joerg

Maykol Rojas · ‎05-19-2011

Try this

nat (inside,outside) source static 1.1.1.1 2.2.2.1 destination static 2.2.2.10 1.1.1.10

Let me know.

Mike

varrao · ‎05-19-2011

I guess 8.3 NAT is flow based and you would need the following:

Object network A

host 1.1.1.1

Object network B

host 2.2.2.1

Object network C

host 1.1.1.10

Object network D

host 2.2.2.10

nat (inside,outside) source static A B destination static C D

or

nat (outside,inside) source static D C destination static B A

both of them would hold true in your case.

this should work for you.

Thanks,

Varun

Thanks,
Varun Rao

joerggrau · ‎05-20-2011

Okay, I can see how that would work. Is 8.3 so precise that I need a double pair of NAT statements for each possible conenctivity?

In 8.0 I would do something along the following lines: