03-29-2012 03:40 PM - edited 03-11-2019 03:48 PM
Friends,
I have a strange question here please bare with me if it is funny but it is woking live with thirdparty firewall which is going to be replaced by the ASA.
Third party firewall is working with below policy and i want to do it in ASA 8.0:
i have a server in my internal network 192.168.1.1 which accepts only specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a port 2445 . The connection is initiating from extranet with source ip address 172.16.10.0/24 to destination virtual IP 192.168.100.1 on a port 2445 which is then directing traffic to inside server 192.168.1.1 with a source ip address from the pool mentioned above.
This means the thirdy party firewall is doing the destination NAT and the source NAT which are both merged togther to one flow to achieve the customer requirement,
Can anybody write for me the configs pls.i hope it is a concept of twice nat but how to achieve this in 8.0
03-29-2012 10:33 PM
Hi,
It seems to me that you would need 8.3 software at minimum to achieve that with a single NAT configuration.
I mean when the change of ASA software went from 8.2 -> 8.3 you were now able to NAT both the source and destination IP/network
Heres an example configuration
object network REAL-SOURCE
subnet 172.16.10.0 255.255.255.0
object network MAPPED-SOURCE
subnet 192.168.10.0 255.255.255.0
object network REAL-DESTINATION
host 192.168.1.1
object network MAPPED-DESTINATION
host 192.168.100.1
nat (USERS,SERVER) source static REAL-SOURCE MAPPED-SOURCE destination static MAPPED-DESTINATION REAL-DESTINATION
To my understanding that would mean that while connecting from interface USERS (172.16.10.0/24) to the MAPPED-DESTINATION host on interface SERVER (192.168.100.1) the ASA firewall would NAT your traffic from network 172.16.10.0/24 to network 192.168.10.0/24 while connecting to the actual REAL-DESTINATION address (192.168.1.1)
I'm not sure if theres any way to do it in older software.
Gotta get my morning coffee and think about it after that My head doesnt always work in the morning
Hope this helps
- Jouni
03-30-2012 03:15 AM
Well, you can do this in 8.0, give this a try
These access list define what to NAT
access-list outnat extended permit ip host 192.168.1.1 192.168.10.0 255.255.255.0
access-list innat extended permit tcp 172.16.10.0 255.255.255.0 host 192.168.100.1 eq telnet
Here is your pool of addresses and NAT statement for it
global (inside) 1 192.168.10.1-192.168.10.100
nat (extranet) 1 access-list innat outside
Here is the Static NAT statement to map 192.168.1.1 to 192.168.100.1
static (inside,extranet) 192.168.100.1 access-list outnat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide