cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4953
Views
0
Helpful
3
Replies
Beginner

ASA 8.3 configuration of double NAT (SRC and DST) question

I am setting up a new ASA running 8.3 and I am having problems with configuring double NATs.

Here is the thing I am trying to solve:

Original Packet

SRC: 1.1.1.1

DST: 1.1.1.10

After it hits the firewall and it comes out on the outside interface I want this:

SRC: 2.2.2.1

DST: 2.2.2.10

Now when I set this up the way I did in 8.0(4) it just ain't working. 

All the NAT examples I can find are simple NATs, I have not been able to find an example of a SRC and DST NAT.

Any help would be appreciated.

Thanks

Joerg

Everyone's tags (3)
3 REPLIES 3
Highlighted
Cisco Employee

Re: ASA 8.3 configuration of double NAT (SRC and DST) question

Try this

nat (inside,outside) source static 1.1.1.1 2.2.2.1 destination static 2.2.2.10 1.1.1.10

Let me know.

Mike

Mike
Highlighted
Advocate

Re: ASA 8.3 configuration of double NAT (SRC and DST) question

I guess 8.3 NAT is flow based and you would need the following:

Object network A

host  1.1.1.1

Object network B

host 2.2.2.1

Object network C

host  1.1.1.10

Object network D

host 2.2.2.10

nat (inside,outside) source static A B destination static C D

or

nat (outside,inside) source static D C destination static B A

both of them would hold true in your case.

this should work for you.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

Re: ASA 8.3 configuration of double NAT (SRC and DST) question

Okay, I can see how that would work.  Is 8.3 so precise that I need a double pair of NAT statements for each possible conenctivity?

In 8.0 I would do something along the following lines:

Object network A

host  1.1.1.1

Object network B

host 2.2.2.1

Object network C

host  1.1.1.10

Object network D

host 2.2.2.10

nat (inside,outside) source static A B destination static any any

nat (outside,inside) source static C D destination static any any

This would then do the NATs correctly for any destination in the outside/inside network.  This does not seem to be working anymore.  Do I now need to be more precise with my NAT statements?  And if so, can I at least use group objects?

Thanks

Joerg