Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4933
Views
5
Helpful
19
Replies

Double NAT ?

David Dobbs
Level 1
Level 1

‎09-30-2008 01:57 PM - edited ‎03-11-2019 06:51 AM

On an ASA 5520 ver 8.0(4) I have the following NAT senario:

From my private interface "b2b-bastion" I want the following translation to occur when a packet goes from interface b2b-bastion to the external interface "b2b-dmz" and returns:

b2b-bastion (packet in):

src - 172.24.24.21

dest - 69.129.150.67

b2b-dmz (packet out)

src - 208.83.222.130

dest - 192.168.0.150

Conversely, I want returned traffic from 192.168.0.150 to translate as follows:

b2b-dmz (packet in)

src - 192.168.0.150

dest - 208.83.222.130

b2b-bastion (packet out):

src - 69.129.150.67

dest - 172.24.24.21

Basically, the network on b2b-bastion interface sees 192.168.0.150 as 69.129.150.67. The network on b2b-dmz sees 172.24.24.21 as 208.83.222.130.

Any ideas on how to get this to work? No VPN tunnels involved here.

Labels:
0 Helpful
19 Replies 19

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to David Dobbs

‎10-01-2008 05:34 AM

the problem with 69

u have two way either change the 69 network ip with an ip in the 208 network

or try to creat the loopback and make the ip as i mentioned and make a route for that ip point to the router interface

this is i mean based on the two nats on the ASA

and let me know

good luck

0 Helpful

David Dobbs
Level 1
Level 1
In response to Marwan ALshawi

‎10-01-2008 05:55 AM

I did your first suggestion of doing a NAT on the ASA and a NAT on the router. That worked so I'll go with that.

Many thanks to all the contributors to this issue!

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to David Dobbs

‎10-01-2008 05:58 AM

u mean u created loopback and everything as i mentioned?

and congrtulations anyway:)

if helpful Rate

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Marwan ALshawi

‎10-01-2008 07:03 AM

thanks for rating

i just wanna make sure the loopback idea worked because i just thought about it logicaly

tahnks

0 Helpful

David Dobbs
Level 1
Level 1
In response to Marwan ALshawi

‎10-01-2008 12:53 PM

You pointed me in the right direction about separating the NATs on two seperate devices; however, the gateway is really another ASA with a VPN tunnel to the 192.168.0.0/24 network (192.168.0.150 host). So I didn't use a loopback address but used the following static NAT statement:

static (external,b2b-dmz) 69.129.150.67 192.168.0.150 netmask 255.255.255.255

Sorry but I did not want to complicate my senario with the ASA VPN concentrator since I was originally trying to double NAT on our ASA firewall that is behind the ASA VPN concentrator which is the gateway to our firewall for our VPN connections.

Thanks Again!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card