Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
221
Views
0
Helpful
1
Replies

How to configure PAT AND DESTINATION ADDRESS TRANSLATION ON ASA 8.3>

netadmindha
Beginner
Beginner

‎04-07-2014 12:07 PM - edited ‎03-11-2019 09:02 PM

Hey Guys,

Please check my below configuration commands on asa 8.3>

Question 1 : i want to send inside/dmz1/dmz3 internet traffic using firewall interface by PAT , please confirm

if  the following commands are correct?

I. nat (any,outside) source dynamic All_PAT-GROUP interface

object-group network All_PAT-GROUP
 description: INSIDE,DMZ1,DMZ3
 network-object object N-192.168.1.0
 network-object object N-192.168.3.0
 network-object object N-10.0.0.0

 

Question 2:  site 2 LAN pc(10.21.22.x )----core-switch-->FW1 --{out interface->Fw2-....inside interface}---core-switch ------  LAN   - printer   ( 10.1.3.43) site 1

following command is issued on Fw2 &  all the commands are working fine in fw1 .

I want pc 10.21.22.x to talk to 10.1.3.43 on port 9100  , please verify my NAT & ACL statement and give ur feedback? I am trying to configure destination based nat translation here..is this correct


II.nat (outside,inside) source static H-10.249.3.26 H-10.1.3.43 service tcp-9100 tcp-9100 unidirectional description NAT1

access-list out-acl extended permit tcp host 10.21.22.x host10.1.3.43 eq 9100

access-group out-acl in interface outside


HA-Core-Firewall# sh nat de
HA-Core-Firewall# sh nat detail
Manual NAT Policies (Section 1)
1 (any) to (outside) source dynamic All_PAT-GROUP interface
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.0.0.0/8, 192.168.1.0/24, 192.168.3.0/24, Translated: 213.42.54.230/30
2 (outside) to (inside) source static H-10.249.3.26 H-10.1.3.43   service tcp-9100 tcp-9100 unidirectional description NAT1
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.249.3.26/32, Translated: 10.1.3.43/32
    Service - Origin: tcp source gt 0 destination eq 9100 , Translated: tcp source gt 0 destination eq 9100

 

 

Appreciate your quick response.

 

 

Regards,

Akber Mirza.

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
Advisor
Advisor

‎04-07-2014 06:38 PM

Hello Akber,

I. nat (any,outside) source dynamic All_PAT-GROUP interface

object-group network All_PAT-GROUP
 description: INSIDE,DMZ1,DMZ3
 network-object object N-192.168.1.0
 network-object object N-192.168.3.0
 network-object object N-10.0.0.0

 

I would always rather to use specific statements ( so 3 nat rules the first one being nat (inside,outside),  the second one being (dmz,outside) and keep going with but YES your configuration is perfect at this point.

 

Question 2:  site 2 LAN pc(10.21.22.x )----core-switch-->FW1 --{out interface->Fw2-....inside interface}---core-switch ------  LAN   - printer   ( 10.1.3.43) site 1

 

So the service tcp-9100 has the keyword destination right? if that's the case I do not see any issues,

Just in case provide

packet-tracer input outside tcp 10.21.22.x 1025 10.249.3.26 eq 9100

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents