Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
3
Replies

ASA 9.3 reverse NAT

Go to solution
hoffa2000
Level 3
Level 3

‎05-29-2015 02:40 AM - edited ‎03-11-2019 11:01 PM

Hi folks

Can ASA do "reverse NAT"? Vendors have different names for this but what I want to do is have my ASA translate incoming traffic from Internet to an internal IP but have the traffic appear to the internal server as coming from the internal interface of the ASA.

 

Regards

Fredrik

Labels:
Preview file
14 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stefan Menning
Level 1
Level 1

‎05-29-2015 04:59 AM

 What do you mean by "comming from the internal Interface of the ASA"? Do you want the internal Server to see a soure ip from the same Network that asa internal Interface is in? Or do you want the source address to be the actual asa interal Interface ip?

Generally you should be albe to acomplish this task with "twice NAT" (http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html), but I'm not sure if it works with the asa-interface-ip.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Stefan Menning
Level 1
Level 1

‎05-29-2015 04:59 AM

 What do you mean by "comming from the internal Interface of the ASA"? Do you want the internal Server to see a soure ip from the same Network that asa internal Interface is in? Or do you want the source address to be the actual asa interal Interface ip?

Generally you should be albe to acomplish this task with "twice NAT" (http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html), but I'm not sure if it works with the asa-interface-ip.

0 Helpful

Go to solution
hoffa2000
Level 3
Level 3
In response to Stefan Menning

‎05-29-2015 05:02 AM

Hi Stefan. Thank you for the pointer. It doesn't have to be the same IP as the ASA internal interface, could be any available IP on the internal network. I'll take a look at the twice NAT concept.

 

/Fredrik

0 Helpful

Go to solution
hoffa2000
Level 3
Level 3
In response to Stefan Menning

‎06-02-2015 10:24 PM

Hi

Through some trial and erroring I managed to get it up and running. The below command allow any external IP to send email to my internal server using the firewall internet interface IP, the connection is then sent to my mail server using the firewall internal interface IP as source. 

 

nat (outside,inside) source dynamic any interface destination static interface Internal-IP-Of-Server service SMTP SMTP

 

Great stuff!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card