06-18-2020 11:19 PM
Hi.
We have a ASA 5585-x appliance, on which we are running OS version 9.9(x).
Topology as per below
10.1.1.0/24 ---LAN device ---ASA--- WAN device (MPLS) --- learning non RFC 1918 prefix say for eg. 100.1.1.0/24
Requirement is to nat both the ends subnets to static in such a way that say system 10.1.1.10 can be natted to 192.168.1.10 when it goes to the wan interface
and NAT 100.1.1.10 from outside to 172.16.20.10 when it goes to LAN interface.
--------------------------
Please correct me if i am wrong, given that here twice nat would not help as the twice NAT will do the nat only for the specific IP
For eg. Problem with below Static Twice NAT
nat (inside,outside) source static Original-host mapped-host destination static dest-mapped-host dest-original-host
10.1.1.10 -- Natted to 192.168.1.10
will reach to
172.16.20.10 --- un-nat to 100.1.1.10
and vice versa for the reverse initiated traffic
BUT
for 10.1.1.10 --- to reach to other IP address of destination subnet 100.1.1.0/24 (172.16.20.0/24) it will fail until we add all the 254 entries of destination nat 254 entries for the source IP
----------------
In, Second method below believe the 1st rule will always be preferred causing the traffic initiated from destination host to remain the same when it tries to reach the natted source
nat (inside, outside) source static original-host mapped-original-host
nat(outside, inside) source static dest-original-host mapped-original-host
----------------------------------
Can we have object based nat to achieve the requirement
such as
hostname(config)# object network src-mapped-obj
hostname(config-network-object)# host 192.168.10.10
hostname(config-network-object)# object network src-host
hostname(config-network-object)# host 10.1.1.10
hostname(config-network-object)# nat (inside,outside) static src-mapped-obj
and same way for destination initiated traffic
hostname(config)# object network dest-mapped-obj
hostname(config-network-object)# host 172.16.20.10
hostname(config-network-object)# object network dest-host
hostname(config-network-object)# host 100.1.1.10
hostname(config-network-object)# nat (outside,inside) static dest-mapped-obj
same way if we do for remaining 253 ip address as object based nat for source and destination addresses
Will this achieve the requirement so that 10.1.1.0/24 addresses --- 192.168.10.0/24 <--will communicate with--> 172.16.20.0/24----100.1.1.0/24
06-19-2020 07:25 PM - edited 06-19-2020 07:54 PM
Hi,
Use static NAT if you need bidirectional communication. Single command is enough to achieve your requirement.
nat (outside,inside) source static 100.1.1.0_24 172.16.20.0_24 destination static 192.168.1.0_24 10.1.1.0_24
it will automatically enable bidirectional NAT allow connection initiate from inside to outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide