How to configure static NAT on two internal interfaces?

ROBERT T · ‎12-16-2013

Cisco Adaptive Security Appliance Software Version 8.4(2)

I need to NAT an IP from my VPN DMZ (192.168.100.26) to two different internal DMZs, DMZ-1 (10.3.255.15) and DMZ-2 (10.3.255.15). Resources in each of those DMZs need to get to that resource in the VPN DMZ.

- NAT works from VPN-DMZ to DMZ-1

- When I add the NAT config to go from VPN-DMZ to DMZ-2, it deletes the config going to DMZ-1.

object network snat-10.3.255.15

host 192.168.100.26

object network snat-10.3.255.15

nat (VPN,DMZ-1) static 10.3.255.15

If I add the following, it removes it from DMZ-1

object network snat-10.3.255.15

nat (VPN,DMZ-2) static 10.3.255.15

How can I keep the same IPs, but use it on two different internal interfaces on the firewall?

Collin Clark · ‎12-16-2013

I believe you have to create two objects. You can only have a single NAT statement per network object.

object network snat-10.3.255.15-dmz1

host 192.168.100.26

object network snat-10.3.255.15-dmz1

nat (VPN,DMZ-1) static 10.3.255.15

object network snat-10.3.255.15-dmz2

host 192.168.100.26

object network snat-10.3.255.15-dmz2

nat (VPN,DMZ-2) static 10.3.255.15

ROBERT T · ‎12-16-2013

Thanks Collin, I'll try this tomorrow.