Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
2
Replies

NAT 8.0

jack samuel
Level 1
Level 1

‎03-29-2012 03:40 PM - edited ‎03-11-2019 03:48 PM

Friends,

I have a strange question here please bare  with me if it is funny but it is woking live with thirdparty firewall  which is going to be replaced by the ASA.

Third party firewall is working with below policy and i want to do it in ASA 8.0:

i  have a server in my internal network 192.168.1.1 which accepts only  specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a  port 2445 . The connection is initiating from extranet with source ip  address  172.16.10.0/24 to destination virtual IP 192.168.100.1 on a  port 2445 which is then directing traffic to inside server 192.168.1.1  with a source ip address from the pool mentioned above.

This  means the thirdy party firewall is doing  the destination NAT and the  source NAT which are both merged togther to one flow to achieve the  customer requirement,

Can anybody write for me the configs pls.i hope it is a concept of twice nat but how to achieve this in 8.0

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2012 10:33 PM

Hi,

It seems to me that you would need 8.3 software at minimum to achieve that with a single NAT configuration.

I mean when the change of ASA software went from 8.2 -> 8.3 you were now able to NAT both the source and destination IP/network

Heres an example configuration

object network REAL-SOURCE

subnet 172.16.10.0 255.255.255.0

object network MAPPED-SOURCE

subnet 192.168.10.0 255.255.255.0

object network REAL-DESTINATION

host 192.168.1.1

object network MAPPED-DESTINATION

host 192.168.100.1

nat (USERS,SERVER) source static REAL-SOURCE MAPPED-SOURCE destination static MAPPED-DESTINATION REAL-DESTINATION

To my understanding that would mean that while connecting from interface USERS (172.16.10.0/24) to the MAPPED-DESTINATION host on interface SERVER (192.168.100.1) the ASA firewall would NAT your traffic from network 172.16.10.0/24 to network 192.168.10.0/24 while connecting to the actual REAL-DESTINATION address (192.168.1.1)

I'm not sure if theres any way to do it in older software.

Gotta get my morning coffee and think about it after that My head doesnt always work in the morning

Hope this helps

- Jouni

0 Helpful

malikyounas
Level 1
Level 1

‎03-30-2012 03:15 AM

Well, you can do this in 8.0, give this a try

These access list define what to NAT

access-list outnat extended permit ip host 192.168.1.1 192.168.10.0 255.255.255.0

access-list innat extended permit tcp 172.16.10.0 255.255.255.0 host 192.168.100.1 eq telnet

Here is your pool of addresses and NAT statement for it

global (inside) 1 192.168.10.1-192.168.10.100

nat (extranet) 1 access-list innat outside

Here is the Static NAT statement to map 192.168.1.1 to 192.168.100.1

static (inside,extranet) 192.168.100.1  access-list outnat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card