07-11-2012 05:58 AM - edited 03-11-2019 04:29 PM
Scenario Detail:
Outside interface IP ASA: 1.1.1.1
Inside Interface IP ASA: 2.2.2.1
Public IP Address for NAT: 1.1.1.10
Server1 IP Address: 10.10.10.10: 25
Server2 IP Address: 11.11.11.10: 443
1)
Server1 has a default route to ASA: No issues.
2)
Server2 does not have a default route ASA
Initially distend for Public IP 1.1.1.10:443 is statically NATed to server2 11.11.11.10:443.
Server2 does not have a default route to ASA, in that case ASA can route to Server2 but Server2 can not route back to ASA for Internet Addresses.
To overcome this situation, I think, I should translate internet (any) addresses (Sources Addresses) to ASA indside interface IP Address.
So the Server2 sees this connection coming from ASA inside address.
-Two NATs are required
1)
Static 11.11.11.10:443 > 1.1.1.10:443
2)
a. Any > 1.1.1.10:443
First Translation through Static NAT:
b. Any > 11.11.11.10:443
Second Translation of Source Address (internet Address):
c. 2.2.2.1 > 11.11.11.10:443
Is it Doable? if Yes, What would be the syntex for ASA 8.3?
Please do let me know I missed something...
Your help will be highly appecited.
Mudasir
Solved! Go to Solution.
07-13-2012 07:26 PM
Hi Mudasir,
Actually we can take advantaje of the NAT simplification of 8.3
This is how your config would look like
object network obj-1.1.1.10
host 1.1.1.10
object network obj-11.11.11.10
host 11.11.11.10
object service test-443
service tcp destination eq 443
nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443
I know it looks like a little bit complicated but you get use to it
Luis Silva
07-13-2012 07:26 PM
Hi Mudasir,
Actually we can take advantaje of the NAT simplification of 8.3
This is how your config would look like
object network obj-1.1.1.10
host 1.1.1.10
object network obj-11.11.11.10
host 11.11.11.10
object service test-443
service tcp destination eq 443
nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443
I know it looks like a little bit complicated but you get use to it
Luis Silva
07-13-2012 07:56 PM
Thank you very much
I knew it will work with Twice NAT, but syntex never made sense at Cisco docCD.
Thanks Again.
07-13-2012 08:06 PM
No problem! I was a pleassure
Luis Silva
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide