03-01-2015 11:59 PM - edited 03-11-2019 10:34 PM
Hi,
I am trying to create NAT rule that will allow clients on the internet to connect to the ASAs outside interface on port 242, have the packets D-NATed to a server, 172.22.0.65 on port 22, inside interface but when the packet reaches the server the source address of the packet will be the inside interface address of the ASA, 10.5.1.41.
The ASA is running 9.2.1 and is in multiple context mode.
In my GNS3 8.4 ASA this almost work in so far as it translated to the server with the source address of 4.2.2.1:
object network ssh-172.22.0.65 host 172.22.0.23 object network wan-4.2.2.1 host 4.2.2.1 object service SSH service tcp destination eq ssh object service SSH-24242 service tcp destination eq 24242 nat (outside,inside) source dynamic any wan-4.2.2.1 destination static interface ssh-172.22.0.23 service SSH-24242 SSH
In the production environment I am falling foul of the dynamic NAT and haven''t been able to work around that even by using after-auto positioning.
For reference here are the existing NAT statements:
ASA5585-SSP-40/l-asa-02(config)# sho run nat nat (office,infradmz) source dynamic any interface nat (wlan-internet,outside) source dynamic any interface nat (wlan-guest,outside) source dynamic any interface nat (wlan-internet,infradmz) source dynamic any interface nat (office,outside) source static L-ASA-02-OUTSIDE L-ASA-02-OUTSIDE destination static Z-VPN-02-OUTSIDE Z-VPN-02-OUTSIDE nat (office,outside) source static ALL-NETWORKS ALL-NETWORKS destination static office-declisub office-declisub ! nat (office,outside) after-auto source dynamic any interface
Has anybody got any suggestions please?
TIA, James
Solved! Go to Solution.
03-02-2015 05:39 AM
After a bit more searching I came across the solution here:
https://www.fir3net.com/Firewalls/Cisco/cisco-asa-twice-nat.htmlMake sure that proxy arp is enabled otherwise the IP address doesn't appear in the arp tables of the switches.
nat (outside,office) 1 source dynamic any ins-nat destination static wan-4.2.2.1 ssh-172.22.0.23 service SSH-24242-tcp SSH-tcp
03-02-2015 05:39 AM
After a bit more searching I came across the solution here:
https://www.fir3net.com/Firewalls/Cisco/cisco-asa-twice-nat.htmlMake sure that proxy arp is enabled otherwise the IP address doesn't appear in the arp tables of the switches.
nat (outside,office) 1 source dynamic any ins-nat destination static wan-4.2.2.1 ssh-172.22.0.23 service SSH-24242-tcp SSH-tcp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide