Solved: Dynamic Interface NAT on Transparent ASA

lcaruso · ‎01-24-2013

Hi,

I need NAT setup as it would be on Routed ASA where addresses arriving on the inside interface are hidden from outside via dynamic interface NAT.

Is that possible in Transparent Mode? This document doesn't discuss Dynamic NAT.

www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1102744

Julio Carvajal · ‎01-24-2013

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/interface_complete_transparent.html

Remember to rate all of the helpful posts..

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-25-2013

No,

It means that you cannot use PAT while intenting to use the interface ip address but you could use any other.

Example

static (inside,outside) tcp 2.2.2.2 80 192.168.12.2.2 80

This will work....

Regards,

Only remember that you cannot try to use the keyword interface ( because there is no ip asssigned to any of the interfaces, that is all )

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-24-2013

Hello,

Yes, it can be done.

No problem at all.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcaruso · ‎01-24-2013

Thanks.

Is there a more up-to-date reference for 9.x ASAs and Transparent mode?

Julio Carvajal · ‎01-24-2013

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/interface_complete_transparent.html

Remember to rate all of the helpful posts..

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcaruso · ‎01-24-2013

Appreciate the link.

lcaruso · ‎01-25-2013

Can it do PAT?

The links I have read say no.

Julio Carvajal · ‎01-25-2013

Note:

Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall. Refer to

NAT in Transparent Mode

for more information.

You can use PAT but not with the ASA interfaces as there is no IP assigned to it.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcaruso · ‎01-25-2013

It says (bullet point #4)

Because the transparent firewall does not have any interface IP addresses, you cannot use interface PAT.

So you can use PAT but it's not interface PAT. That means any public servers could not be published on an ASA in Transparent mode, right?

Julio Carvajal · ‎01-25-2013

No,

It means that you cannot use PAT while intenting to use the interface ip address but you could use any other.

Example

static (inside,outside) tcp 2.2.2.2 80 192.168.12.2.2 80

This will work....

Regards,

Only remember that you cannot try to use the keyword interface ( because there is no ip asssigned to any of the interfaces, that is all )

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC