Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
5
Helpful
1
Replies

ASA NAT questions

nevereturn
Level 1
Level 1

‎04-23-2012 09:36 AM - edited ‎03-11-2019 03:57 PM

Hi All,

I have 2 little questions about NAT on ASA.

1. The postnat address at Static command cannot be the ip address of external interface directly?

For example:

If the Outside’s IP address is 100.1.1.1 and the static NAT entry is:

Static (inside,outside) 100.1.1.1 10.1.1.1

This NAT entry doesn’t work. If I want to use the Outside’s IP address, I must type:

Static (inside,outside) interface 10.1.1.1

Am I correct?

==============================================

2. If I write a port redirection static NAT entry, the translation is unidirectional?

For example:

If the DMZ server’s IP address is 10.2.2.2 and the postnat address is 100.1.1.2:

Static (DMZ,Outside) tcp 100.1.1.2 23 10.2.2.2 23

After that, when the DMZ server telnet Outside hosts, it won’t trigger NAT (10.2.2.2 -->-- 100.1.1.2). However, the outside hosts can telnet the DMZ server via telnet 100.1.1.2.

Have I got this right?

Thanks in Advance

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎04-23-2012 02:06 PM

Hi,

Question number 1:

You can nat the outside interface to the server real ip but it is not advisable, since if you do it then other services on the outside interface would be blocked like https,ssh or telnet access on outside interface.

The syntax:

Static (inside,outside) interface 10.1.1.1

Question number 2:

You are absolutely correct with this one.

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card