05-19-2011 07:55 PM - edited 03-11-2019 01:35 PM
I am setting up a new ASA running 8.3 and I am having problems with configuring double NATs.
Here is the thing I am trying to solve:
Original Packet
SRC: 1.1.1.1
DST: 1.1.1.10
After it hits the firewall and it comes out on the outside interface I want this:
SRC: 2.2.2.1
DST: 2.2.2.10
Now when I set this up the way I did in 8.0(4) it just ain't working.
All the NAT examples I can find are simple NATs, I have not been able to find an example of a SRC and DST NAT.
Any help would be appreciated.
Thanks
Joerg
05-19-2011 08:02 PM
Try this
nat (inside,outside) source static 1.1.1.1 2.2.2.1 destination static 2.2.2.10 1.1.1.10
Let me know.
Mike
05-19-2011 08:21 PM
I guess 8.3 NAT is flow based and you would need the following:
Object network A
host 1.1.1.1
Object network B
host 2.2.2.1
Object network C
host 1.1.1.10
Object network D
host 2.2.2.10
nat (inside,outside) source static A B destination static C D
or
nat (outside,inside) source static D C destination static B A
both of them would hold true in your case.
this should work for you.
Thanks,
Varun
05-20-2011 05:59 AM
Okay, I can see how that would work. Is 8.3 so precise that I need a double pair of NAT statements for each possible conenctivity?
In 8.0 I would do something along the following lines:
Object network A
host 1.1.1.1
Object network B
host 2.2.2.1
Object network C
host 1.1.1.10
Object network D
host 2.2.2.10
nat (inside,outside) source static A B destination static any any
nat (outside,inside) source static C D destination static any any
This would then do the NATs correctly for any destination in the outside/inside network. This does not seem to be working anymore. Do I now need to be more precise with my NAT statements? And if so, can I at least use group objects?
Thanks
Joerg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide