Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
3
Replies

Multiple NAT For One IP address on ASA

Go to solution
parvezahmad90
Level 1
Level 1

‎06-29-2013 11:38 AM - edited ‎03-11-2019 07:05 PM

Hello,

In cisco ASA firewall. we have four interfaces. The details are given below.

gig0/0 ---- inside

gig0/1 --- outside

gig0/2 --- DMZ

I have one IP address/host (10.1.1.1/32) in inside.

Below is the requirements.

1. When this host(10.1.1.1/32) will go to outside it should translate to 220.123.21.1/32.

2. When this host(10.1.1.1/32) will go to DMZ it should translate to 10.1.1.1/32.

I am running ASA version 9.1.

Please advise do we need to create two natting object or is there any other way?

Regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to parvezahmad90

‎06-29-2013 12:30 PM

Hi,

If you dont have any ACL configured on the DMZ interface then you naturally have to add an ACL on the interface and allow and block the traffic you need. Without the ACL the traffic will keep getting blocked.

NAT alone would not accomplish anything and as I said its not needed.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-29-2013 11:44 AM

Hi,

You list three interfaces even though you mention there is four. Then again I guess that doesnt matter much in this case.

If we presume that you have close to default configuration on the ASA then to achieve what you are asking for simply requires you to configure Static NAT for the "inside" to "outside" traffic of the server

object network SERVER

host 10.1.1.1

nat (inside,outside) static 220.123.21.1

You dont have to configure any NAT for "inside" to "DMZ" as you seem to want the "inside" host to be visible with its original IP address rather than NAT it.

On the new software levels of 8.3+ you dont need to perform NAT between your local interfaces if you dont want to specifically NAT those address between the interfaces.

Would have to see the current configurations to say for sure

- Jouni

0 Helpful

Go to solution
parvezahmad90
Level 1
Level 1
In response to Jouni Forss

‎06-29-2013 12:03 PM

Hi,

By the way fourth interface used for failover.

Unfortunatily, some users are in DMZ and DMZ has severity level 50.

These DMZ users want to access IP address 10.1.1.1.

The traffic is coming from lower securtiy-level to higher security-level.

Regrads,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to parvezahmad90

‎06-29-2013 12:30 PM

Hi,

If you dont have any ACL configured on the DMZ interface then you naturally have to add an ACL on the interface and allow and block the traffic you need. Without the ACL the traffic will keep getting blocked.

NAT alone would not accomplish anything and as I said its not needed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card