02-20-2013 12:50 PM - edited 03-11-2019 06:03 PM
Looking for a solution to a NAT issue I have with NAT'ing one subnet to another on a 1-2-1.
eg
static (inside,outside) 1.1.1.0 2.2.2.0 netmask 255.255.255.0
This would translate the internal 2.2.2.x IP address to 1.1.1.x IP address on the "outside". Is this still possible in 8.4 or above?
02-20-2013 12:55 PM
Hi,
Are you configuring this network to network NAT only for some VPN? In other words, should it only do this NAT if the destination of the connection is a certain network?
If you simply want to NAT a network to another network I imagine the configuration format would be the following
object network LAN-LOCAL
subnet 2.2.2.0 255.255.255.0
object network LAN-MAPPED
subnet 1.1.1.0 255.255.255.0
nat (inside,outside) source static LAN-LOCAL LAN-MAPPED
If this NAT should only happen with certain destination network the configuration would contain the following additional parameters
object network DESTINATION
subnet 10.10.10.0 255.255.255.0
NAT command would be
nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static DESTINATION DESTINATION
Naturally if you have more DESTINATION networks you would use "object-group" to configure the multiple networks instead of a "object network" that can only contain a single subnet, range or host address
Hope this helps
- Jouni
02-20-2013 01:30 PM
Hi Jouni,
I have tried the above with no success, taking it further adding
nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static LAN-LOCAL LAN-MAPPED
If I do a "show xlate" it would indicate that it should work
NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24
flags sT idle 0:02:34 timeout 0:00:00
NAT from outside:1.1.1.0/24 to inside:2.2.2.0/24
flags sT idle 0:02:34 timeout 0:00:00
However a capture on the outside shows that the 2.2.2.x source remains untranslated.
02-20-2013 01:38 PM
Hi,
You should not use the "destination static LAN-LOCAL LAN-MAPPED" if your purpose is to always do the network to network NAT between the interfaces "inside" and "outside"
Heres the configuration from my own ASA
object network LAN-LOCAL
subnet 10.0.1.0 255.255.255.0
object network LAN-MAPPED
subnet 1.1.1.0 255.255.255.0
nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED
Then to test its operation with "packet-tracer" (Only copy/paste the NAT phase)
ASA(config)# packet-tracer input LAN tcp 10.0.1.100 1234 1.2.3.4 80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED
Additional Information:
Static translate 10.0.1.100/1234 to 1.1.1.100/1234
As you can see its working as expected
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide