Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1574
Views
0
Helpful
3
Replies

ASA: NAT from an external host to an intenel server for all traffic

rherud
Level 1
Level 1

‎10-21-2019 02:47 AM

Hi guys,

today I am faced with a NAT issue and want to ask you for your valued advice.

An external host (and only this host) should access the outside interface of the ASA (OS rel. 8.4(7)30) and this should be translated to an internal server for ALL kind of traffic. (I test with HTTP)

NAT externer Host auf intenen Server.JPG

This translation should only be able for the external host IP because other hosts connect to the outside interface of the ASA too for AnyConnect etc. and this should not be affected!

I entered an ACL with the real address of the internal server as the destination and I tried different NAT-commands but the access failed every time.

The relevant code:

interface Ethernet0/0
 nameif if0
 security-level 0
 ip address 217.x.y.z 255.255.255.248

interface Ethernet0/1
 nameif if1
 security-level 100
 ip address 10.1.1.1 255.254.0.0


object network BABV
  host 141.a.b.c

object network BABV-Server
  host 10.1.6.121


access-list if0_access_in extended permit ip object-group BABV object BABV-Server

nat (if1,if0) source static BABV-Server BABV

The NAT-command ist most likeky wrong but I tried a lot of other variants and all failed.

Let's asume that no other NAT-command is configured on the ASA.

Can someone tell me the correct NAT-command for this situation or what's to do to get this working?

Thanks a lot for all your hints!!!

 



Bye

Rico

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-21-2019 09:04 AM

You cannot use the ASA's outside interface for 1-1 NAT if you also want to use AnyConnecton the ASA. My suggestion is to use another IP address in the outside IP space for the NAT. Or you can reserve the ASA IP address for just certain ports instead of all ports. 

 

0 Helpful

rherud
Level 1
Level 1
In response to Rahul Govindan

‎10-21-2019 11:00 PM

Hi Rahul,

 

thanks for your hint!

 

Are you sure that a 1:1 NAT with the outside interface is not possible if the ASA can recognize the source IP address and just NAT if it is a certain one? The host with this source IP do not use AnyConnect. Theoretical this should be possible. Otherwise it is a limitation of the ASA(?)

Thanks!


Bye
Rico

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to rherud

‎10-21-2019 11:33 PM

Hi,

It seems that @Rahul Govindan is correct because ASA will not able the understand that is this packet for the ASA self or need to forward a packet with 1:1 NAT. As technical words, NAT will apply to the traffic and forwarded it to the local LAN. It will not work. 

If you use some port forwarding then it will work.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card