Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
3
Helpful
5
Replies

ASA NAT config architecture, syntax...(?)

Go to solution
jmaxwellUSAF
VIP
VIP

‎04-06-2023 11:54 AM

GOAL: Configure NAT in ASA (OS version 9.x) so that two LAN VPN devices can erect tunnels to one remote www VPN endpoint.

GIVEN: ASA Outside interface= 1.1.1.1 , remote www VPN endpoint= 2.2.2.2

CONFIGURATION:
object network VPN-DEVICES-LOCAL
ip address 172.16.2.2 255.255.255.255
ip address 172.16.9.2 255.255.255.255

nat (Inside,Outside) source static VPN-DEVICES-LOCAL 1.1.1.1 destination static 2.2.2.2 2.2.2.2

QUESTIONS:
1. Is the above configuration correct? If not, may you please show the correct configuration?

2. The outside interface IP-address is used as egress IP for many LAN device translations. Does the ASA actually use a NAT overload technology here?-- When the LAN tunneling device communication exist the ASA egress interface, does ths ASA map a unique port to this specific traffic, so that the return traffic will route to the specific LAN IP-address of the initiating device?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-06-2023 11:58 AM - edited ‎04-06-2023 12:29 PM

@jmaxwellUSAF if 1.1.1.1 is the outside interface IP address and you want that to be the translated address you must use "interface" in the NAT configuration.

nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-06-2023 11:58 AM - edited ‎04-06-2023 12:29 PM

@jmaxwellUSAF if 1.1.1.1 is the outside interface IP address and you want that to be the translated address you must use "interface" in the NAT configuration.

nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎04-06-2023 12:25 PM

Thank you Rob.

May you please answer...

2. The outside interface is used as egress IP for many LAN device translations. Does the ASA actually use a NAT overload technology here?-- When the LAN tunneling device communication exist the ASA egress interface, does ths ASA map a unique port to this specific traffic, so that the return traffic will route to the specific LAN IP-address of the initiating device?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎04-06-2023 12:33 PM

@jmaxwellUSAF yes, it uses PAT hiding the real IP address behind the outside IP address of the ASA, return traffic will route to the specific IP address of the initiating device.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎04-06-2023 12:43 PM - edited ‎04-06-2023 12:46 PM

Hello Rob.

GIVEN: ASA Outside interface= 1.1.1.1 , remote www VPN endpoint= 2.2.2.2

I just noticed you swapped out "static" to "dynamic"...

"nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2"

For a while I have been confused with ASA logic vs Cisco IOS. I thought the ASA used the word "static" for NAT overload.

QUESTIONS:

In your config, does "interface" tell the ASA to use 1.1.1.1 for the outgoing source address?

Does this config make sense for the intent: 2 local devices erect a permanent VPN to a www remote VPN endpoint?

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎04-06-2023 12:47 PM

@jmaxwellUSAF "interface" tells the ASA to use the egress interface IP address.

FYI, NAT logic is as follows:-

nat (SRCINT,DSTINT) source dynamic|static REAL-SRC TRANSLATED-SRC destination static REAL-DST TRANSLATED-DST

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card