Solved: Firewall Destination Nat

cisconell · ‎06-12-2012

Hi Guys,

I have a scenario, explained below.

I am at site A from Site A I want reach 10.10.10.1/24 with the isp given nated ip range 172.16.10.0/24
How should be my nat statements access list and routes in both firewalls

SITE A
----------

I create a ACL source 192.168.11.0/24 destn 10.10.10.1/24 / 172.16.10.0/24 ?
route for 10.10.10.1/24 / 172.16.10.0/24
and how should be the nat statement .

I am also confused about the ASA order of operation

First look for ACL ? source 192.168.11.0/24 destn 10.10.10.1/24
then it look for nat , get natted to 172.16.10.0/24
then looks for route to reach 172.16.10.0/24 ?

Please let me know how to go about with the configuration

hope I am doing a destination nat here or please suggested how to setup this configuration

Thanks in advance ; Diagram attached

Jennifer Halim · ‎06-14-2012

Thanks, that's a lot clearer now

Site A:

access-list nat-siteA permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0

static (inside,outside) 192.168.11.0 access-list nat-siteA

Site B:

access-list nat-siteB permit ip 10.10.10.0 255.255.255.0 192.168.11.0 255.255.255.0

static (inside,outside) 172.16.0.0 access-list nat-siteB

So I assume that the real subnet at site A is 192.168.10.0/24, and the real subnet at site B is 10.10.10.0/24.

View solution in original post

Jennifer Halim · ‎06-12-2012

What is your ASA version? there is different syntax for version 8.2 and below, with version 8.3 and above.

cisconell · ‎06-13-2012

Thanks Jennifer , The ASA version is 8.2(1) so its not the latest one

Jennifer Halim · ‎06-13-2012

Here you go:

access-list nat-siteA-siteB permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0

static (inside,outside) 172.16.10.0 access-list nat-siteA-siteB

BTW, what you are trying to achieve is called source NAT (policy source NAT to be exact).

cisconell · ‎06-14-2012

Thanks , I am not sure If I put accross the question in the correct way

Isp said I will be accessing 10.10.10.0/24 network from Site A by using the 172 network . (as we have multiple subnets in site B ISP allocate each subnet from thier end which routed in thier network

The source is getting natted to another subnet say 192.168.11.x which is routed in isp

so from site A

TRAFFIC FLOW

-------------------------

From Site A Source 192 .168.10.x when go out from site A source get nated to 192.168.11x

From Site A the destination is 172.16.x.x.

172.16.x.x.

when the packet reach site B firewall souce is 192.168.11x destn is 172.16.x.x. and site B firewall nat 172.16.x.x. to 10.10.10.0/24

So this is my requirement

both firewall has inside and outside interface

Thanks

cisconell · ‎06-14-2012

I have updated my question above

Jennifer Halim · ‎06-14-2012