ASA sub-interfaces NAT

Tejas Kunte · ‎09-08-2011

i have an ASA 5520 running ver 8.4(1). have attached my interface config below and need to do the following

NAT traffic coming on GigabitEthernet0/2.101 to GigabitEthernet0/1

i.e. packets with destination 10.21.110.25 will be forwarded to 10.11.21.25

will a nat (Production,Advocate_MPLS) static ... statement work ?

------------------------------------------------------------------------

interface GigabitEthernet0/1

description Production

nameif Production

security-level 100

ip address 10.11.21.8 255.255.255.0 standby 10.11.21.9

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.5

description DMZ

vlan 5

nameif DMZ

security-level 50

ip address 64.74.106.225 255.255.255.240 standby 64.74.106.226

!

interface GigabitEthernet0/2.101

description Advocate_MPLS

vlan 101

nameif Advocate_MPLS

security-level 50

ip address 10.21.110.253 255.255.255.0 standby 10.21.110.254

-----------------------------------------------------------------------------------------------------

varrao · ‎09-08-2011

Hi Tejas,

I suppose the server is behind the Production interface and the source is coming from the Advocate interface, then you would need the following nat statement.

object network Natted_ip

host 10.21.110.25

object network private_ip

host 10.11.21.25

nat (Production,Advocate_MPLS) source static private_ip natted_ip

or

object network private_ip

host 10.11.21.25

nat (Production,Advocate_MPLS) static 10.21.110.25

or

object network Natted_ip

host 10.21.110.25

object network private_ip

host 10.11.21.25

nat (Advocate_MPLS,Production) source static any any destination static natted_ip private_ip

All the nats are correct and would work, depends on the logic that you are using

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao