Solved: Destination NAT help in cisco asa 8.3

syedaltaf.shah · ‎05-08-2011

Hi guys.

The new nat configuration is quite confusing. Can some body help me out in Destination Nat configuration for asa 8.3 version?

This is what i want to do.

suppose we want to connect from 192.168.10.1 to 10.0.10.1. However, for the sake of argument, we cannot connect directly to 10.100.10.1 because of a company policy saying that we cannot use or see any 10.0.0.0/8 address on the inside network. We can use another address, namely 172.16.10.1. So we want 192.168.10.1 to connect to 172.16.10.1 which is translated on the ASA to the real ip address, 10.100.10.1 in the outside interface.

Thanks in advance ...

Roman Rodichev · ‎05-08-2011

If you don't have a 0.0.0.0 route to the outside in ASA already, then yes, add the 172.16.10.0/24 route to the outside.

View solution in original post

Roman Rodichev · ‎05-08-2011

from inside to outside, it's routing first, nat second

from outside to inside, it's nat first, routing second

View solution in original post

Roman Rodichev · ‎05-08-2011

No different on 5505, unless you are running a DMZ on it, which requires a SEC+ license.

Post your ASA config

View solution in original post

Roman Rodichev · ‎05-08-2011

Try this:

hostname(config)# object network SERVER

hostname(config-network-object)# host 10.100.10.1

hostname(config-network-object)# nat (outside,inside) static 172.16.10.1

Regards,

Roman

syedaltaf.shah · ‎05-08-2011

Thanks Ramon,

But unfortunatly.. that didnt worked...

is there any extra config required? do i have to add the route for this IP ? the one which is not configured on any system or device.. ????

Roman Rodichev · ‎05-08-2011

can you ping 10.100.10.1 from the ASA?

are you routing 172.16.10.1 to the ASA? If ASA is your hosts default gateway, it should be routed already.

syedaltaf.shah · ‎05-08-2011

From Asa yes .. i am able to ping 10.100.

No ASA is not default gateway. its just another Site connected through another link. so for this specific route there is static route in Core-Switch to ASA.

syedaltaf.shah · ‎05-08-2011

So i mean for this subnet 172.16.10.1 , do i have to do routing in ASA? because in Switch we for 172.16.10.1 the route is to ASA inside IP.

Roman Rodichev · ‎05-08-2011

If you don't have a 0.0.0.0 route to the outside in ASA already, then yes, add the 172.16.10.0/24 route to the outside.

syedaltaf.shah · ‎05-08-2011

Correct me if iam wrong.

Packet comming from inside will hit ASA and will loo for the 172.x.x.x network, and if route found it will be nated to Orignal IP (10.100.x.x).

Means ASA will do route lookup first and than do the NATing ?

syedaltaf.shah · ‎05-08-2011

And one other thing...

Doest it makes any difference in Cisco ASA 5505 ? because i am routing between two subnets... and ASA is in between two switches.

its like..... Switch (inside )< ---> ASA< -- > Switch (outside). Both switches have different VLANs, so from inside there are allot more VLANs configured. will the ASA route the packet from different VLANs to outside which have totally different VLANs ???

Roman Rodichev · ‎05-08-2011

No different on 5505, unless you are running a DMZ on it, which requires a SEC+ license.

Post your ASA config

Roman Rodichev · ‎05-08-2011

from inside to outside, it's routing first, nat second

from outside to inside, it's nat first, routing second

syedaltaf.shah · ‎05-08-2011

Okie.

Right now i am out of office... i will paste the config tomorrow. and i will first try to configure the rotue first and check if it works.

Thanks Roman... See you tomorrow.

syedaltaf.shah · ‎05-09-2011

Thanks. Roman Rodichev

Its working now..

I had to do two way Nating.

Its working now.

Thanks allot