06-29-2013 11:38 AM - edited 03-11-2019 07:05 PM
Hello,
In cisco ASA firewall. we have four interfaces. The details are given below.
gig0/0 ---- inside
gig0/1 --- outside
gig0/2 --- DMZ
I have one IP address/host (10.1.1.1/32) in inside.
Below is the requirements.
1. When this host(10.1.1.1/32) will go to outside it should translate to 220.123.21.1/32.
2. When this host(10.1.1.1/32) will go to DMZ it should translate to 10.1.1.1/32.
I am running ASA version 9.1.
Please advise do we need to create two natting object or is there any other way?
Regards,
Solved! Go to Solution.
06-29-2013 12:30 PM
Hi,
If you dont have any ACL configured on the DMZ interface then you naturally have to add an ACL on the interface and allow and block the traffic you need. Without the ACL the traffic will keep getting blocked.
NAT alone would not accomplish anything and as I said its not needed.
- Jouni
06-29-2013 11:44 AM
Hi,
You list three interfaces even though you mention there is four. Then again I guess that doesnt matter much in this case.
If we presume that you have close to default configuration on the ASA then to achieve what you are asking for simply requires you to configure Static NAT for the "inside" to "outside" traffic of the server
object network SERVER
host 10.1.1.1
nat (inside,outside) static 220.123.21.1
You dont have to configure any NAT for "inside" to "DMZ" as you seem to want the "inside" host to be visible with its original IP address rather than NAT it.
On the new software levels of 8.3+ you dont need to perform NAT between your local interfaces if you dont want to specifically NAT those address between the interfaces.
Would have to see the current configurations to say for sure
- Jouni
06-29-2013 12:03 PM
Hi,
By the way fourth interface used for failover.
Unfortunatily, some users are in DMZ and DMZ has severity level 50.
These DMZ users want to access IP address 10.1.1.1.
The traffic is coming from lower securtiy-level to higher security-level.
Regrads,
06-29-2013 12:30 PM
Hi,
If you dont have any ACL configured on the DMZ interface then you naturally have to add an ACL on the interface and allow and block the traffic you need. Without the ACL the traffic will keep getting blocked.
NAT alone would not accomplish anything and as I said its not needed.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide