Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
3
Replies

Incoming Destination policy NAT

ryancisco01
Level 1
Level 1

‎09-30-2015 03:13 PM - edited ‎03-11-2019 11:40 PM

Hi guys, what i am trying to achieve is this: (I need ot be able to control the destination IP based on the source IP)

ASA 8.2

 

Source: 7.7.7.7 (host out on the internet - outside interface)

Destination: 1.1.1.1 (fake server Ip address on my firewall)

port: 1234

 

translate that to:

Source: original

Destination: 192.168.1.1 (real server IP -inside interface)

port: 1234

 

AND

 

Source: 9.9.9.9 (host out on the internet - outside interface)

Destination: 1.1.1.1 (same fake destination)

port: 1222

 

translate that to:

Source: original

Destination: 192.168.1.2 (another real server IP -inside interface)

port: 1222

 

Anything else coming to 1.1.1.1 should not be natted.

 

I can achieve that okay, but here is the part I am stuick with, I also need the NAT to work like a static NAT so traffic in other direction will also work:

 

 

Source: 192.168.1.1

Destination: 7.7.7.7 

port: 1234

 

translate that to:

Source: 1.1.1.1

Destination: 7.7.7.7

port: 1234

 

AND

 

Source: 192.168.1.2

Destination: 9.9.9.9 (same fake destination)

port: 1222

 

translate that to:

Source: 1.1.1.1

Destination: 9.9.9.9 (another real server IP -inside interface)

port: 1222

 

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

Lovleen Arora
Level 1
Level 1

‎09-30-2015 04:23 PM

Note the NAT precedence below:

To achieve what you have mentioned in addition to the inbound policy NAT,

just a simple dynamic NAT to the 1.1.1.1 public IP (Private range 192.168.1.1 and 1.2) would give you the required result.

As per cisco asa 8.2 commands below (x is the nat id)

nat (inside) x 192.168.1.0 255.255.255.252.

global (outside) x 1.1.1.1

 

Please mark answer as correct if it works for you.

If that doesn't work, then let me know I have another workaround that you may want to try.

0 Helpful

ryancisco01
Level 1
Level 1
In response to Lovleen Arora

‎09-30-2015 07:25 PM

Excellent thank you that seems like a simple answer!

 

Okay unfortunately though I was wrong about the incoming working, i just used packet tracer and I am getting a "no matching global" error for this:

 

access-list DESTINATION-PAT extended permit tcp host 7.7.7.7 host 1.1.1.1 eq 23


nat (outside) 7 access-list DESTINATION-PAT outside
global (prod) 7 192.168.1.1

 

Just to be clear for what I am trying to achieve, I just want incoming traffic that matches this ACL to be destination natted to the real address (no source nattign required)

 

Why am I getting a no matching global pool in packet tracer? and reason i can't do a simple static is because I will also extend this to say from 8.8.8.8 to 1.1.1.1 dnat to 192.168.1.2 etc

 

 

0 Helpful

ryancisco01
Level 1
Level 1
In response to ryancisco01

‎10-01-2015 05:52 PM

anyone have any ideas?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card