cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1570
Views
0
Helpful
3
Replies
Mudasir Abbas
Beginner

ASA 8.3 Source Address Translation or Policy NAT

Scenario Detail:

Outside interface IP ASA: 1.1.1.1

Inside Interface IP ASA:  2.2.2.1

Public IP Address for NAT: 1.1.1.10

Server1 IP Address: 10.10.10.10: 25

Server2 IP Address: 11.11.11.10: 443

1)

Server1 has a default route to ASA: No issues.

2)

Server2 does not have a default route ASA     

Initially distend for Public IP 1.1.1.10:443 is statically NATed to server2 11.11.11.10:443.

Server2 does not have a default route to ASA, in that case ASA can route to Server2 but Server2 can not route back to ASA for Internet Addresses.

To overcome this situation, I think, I should translate internet (any) addresses (Sources Addresses) to ASA indside interface IP Address.

So the Server2 sees this connection coming from ASA inside address.

-Two NATs are required

1)

Static 11.11.11.10:443 > 1.1.1.10:443

2)

a. Any > 1.1.1.10:443

First Translation through Static NAT:

b. Any > 11.11.11.10:443

Second Translation of Source Address (internet Address):

c. 2.2.2.1 > 11.11.11.10:443

Is it Doable? if Yes, What would be the syntex for ASA 8.3?

Please do let me know I missed something...

Your help will be highly appecited.

Mudasir

1 ACCEPTED SOLUTION

Accepted Solutions
Luis Silva Benavides
Cisco Employee

Hi Mudasir,

Actually we can take advantaje of the NAT simplification of 8.3

This is how your config would look like

object network obj-1.1.1.10

  host 1.1.1.10

object network obj-11.11.11.10

host 11.11.11.10

object service test-443

  service tcp destination eq 443

nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443

I know it looks like a little bit complicated but you get use to it

Luis Silva

Luis Silva

View solution in original post

3 REPLIES 3
Luis Silva Benavides
Cisco Employee

Hi Mudasir,

Actually we can take advantaje of the NAT simplification of 8.3

This is how your config would look like

object network obj-1.1.1.10

  host 1.1.1.10

object network obj-11.11.11.10

host 11.11.11.10

object service test-443

  service tcp destination eq 443

nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443

I know it looks like a little bit complicated but you get use to it

Luis Silva

Luis Silva

View solution in original post

Thank you very much

I knew it will work with Twice NAT, but syntex never made sense at Cisco docCD.

Thanks Again.

No problem! I was a pleassure

Luis Silva

Luis Silva
Content for Community-Ad