Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1814
Views
5
Helpful
1
Replies

Cisco ASA Bidirectional initiated traffic NAT for subnet addresses

anant.gaggar
Level 1
Level 1

‎06-18-2020 11:19 PM

Hi.

We have a ASA 5585-x appliance, on which we are running OS version 9.9(x).

Topology as per below

 

10.1.1.0/24 ---LAN device ---ASA--- WAN device (MPLS) --- learning non RFC 1918 prefix say for eg. 100.1.1.0/24 

 

Requirement is to nat both the ends subnets to static  in such a way that say system 10.1.1.10 can be natted to 192.168.1.10 when it goes to the wan interface 

and NAT 100.1.1.10 from outside to 172.16.20.10 when it goes to LAN interface.

 

--------------------------

 

Please correct me if i am wrong, given that here twice nat would not help as the twice NAT will do the nat only for the specific IP

For eg. Problem with below Static Twice NAT 

 

nat (inside,outside) source static Original-host mapped-host destination static dest-mapped-host dest-original-host

10.1.1.10 -- Natted to 192.168.1.10 

will reach to

172.16.20.10 --- un-nat to 100.1.1.10

and vice versa for the reverse initiated traffic

BUT

for 10.1.1.10 --- to reach to other IP address of destination subnet 100.1.1.0/24 (172.16.20.0/24) it will fail until we add all the 254 entries of destination nat 254 entries for the source IP

 

----------------

 

In, Second method below believe the 1st rule will always be preferred causing the traffic initiated from destination host to remain the same when it tries to reach the natted source

 

nat (inside, outside) source static original-host mapped-original-host

nat(outside, inside) source static dest-original-host mapped-original-host

 

----------------------------------

 

Can we have object based nat to achieve the requirement

 

such as 

 hostname(config)# object network src-mapped-obj
hostname(config-network-object)# host 192.168.10.10

hostname(config-network-object)# object network src-host
hostname(config-network-object)# host 10.1.1.10
hostname(config-network-object)# nat (inside,outside) static src-mapped-obj

 

and same way for destination initiated traffic

 

 hostname(config)# object network dest-mapped-obj
hostname(config-network-object)# host 172.16.20.10

hostname(config-network-object)# object network dest-host
hostname(config-network-object)# host 100.1.1.10
hostname(config-network-object)# nat (outside,inside) static dest-mapped-obj

 

same way if we do for remaining 253 ip address as object based nat for source and destination addresses

Will this achieve the requirement so that 10.1.1.0/24 addresses --- 192.168.10.0/24 <--will communicate with--> 172.16.20.0/24----100.1.1.0/24

 

0 Helpful
1 Reply 1

ngkin2010
Level 7
Level 7

‎06-19-2020 07:25 PM - edited ‎06-19-2020 07:54 PM

Hi,

Use static NAT if you need bidirectional communication. Single command is enough to achieve your requirement.

nat (outside,inside) source static 100.1.1.0_24 172.16.20.0_24 destination static 192.168.1.0_24 10.1.1.0_24

it will automatically enable bidirectional NAT allow connection initiate from inside to outside.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card