Solved: Re: NAT destination on an interface of a CISCO ASA 8.3

khayhuynh · ‎10-20-2010

Hi all,

I have a ASA firewall, version 8.3.

This firewall is connected with 2 interfaces, one for the LAN (let's say that the IP address is 192.168.10.254), and one for the WAN (let's say 10.10.10.254)

Is it possible to configure that kind of NAT:

IP Source IP destination Port

192.168.10.0 / 24 (a host on the LAN) --> 192.168.10.254(LAN interface of the FW) X

becomes:

IP Source IP destination Port

10.10.10.254 (WAN interface of the FW) --> 15.10.10.254 Y

(and the IP address 15.10.10.254 will be routed with a static route on the FW)

I wonder if this kinf of NAT is supported on the CISCO ASA FW. I know that it's possible on Juniper FW but not the ASA ones...

Many thanks for your help,

Regards

Jennifer Halim · ‎10-20-2010

OK, you can possibly configure the following:

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-15.10.10.254

host 15.10.10.254

object network obj-192.168.10.1

host 192.168.10.1

nat (inside,outside) source dynamic obj-192.168.10.0 interface destination static obj-15.10.10.254 obj-192.168.10.1

For the destination address of 15.10.10.254, you can't NAT it to the inside interface ip address, however, you can NAT it to a unique ip address within the 192.168.10.0/24 subnet.

Hope that makes sense.

View solution in original post

Jennifer Halim · ‎10-20-2010

Sorry, I am a bit confused with the IP Source and IP Destination that you posted:

IP Source IP destination Port

192.168.10.0 / 24 (a host on the LAN) --> 192.168.10.254(LAN interface of the FW) X

Do you mean to say the following:

IP Source IP destination Port

192.168.10.0 / 24 (a host on the LAN) --> 15.10.10.254 X

becomes:

IP Source IP destination Port

10.10.10.254 (WAN interface of the FW) --> 15.10.10.254 Y

If the above is correct, then do you mean to try:

- to NAT all IP address from 192.168.10.0/24 destined to 15.10.10.254 to 10.10.10.254?

OR/

You actually wants to NAT both source and destination as follows:

NAT: 192.168.10.0/24 destined to 15.10.10.254 to 10.10.10.254

and also,

NAT: 15.10.10.254 to 192.168.10.254?

khayhuynh · ‎10-20-2010

Hello Jennifer,

It's actually the second case: I want to NAT both:

the destination address (before NAT, it's the IP address of the LAN interface of the FW - 192.168.10.254 / after NAT, it's the address 15.10.10.254)

the source address (before NAT, it's an IP on the LAN range / after NAT, it's the adress of the WAN interface of the FW).

For the NAT of the source (the second one), i think it's possible, it's just a PAT.

But i'm not sure with the other one...

Regards,

Jennifer Halim · ‎10-20-2010

OK, you can possibly configure the following:

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-15.10.10.254

host 15.10.10.254

object network obj-192.168.10.1

host 192.168.10.1

nat (inside,outside) source dynamic obj-192.168.10.0 interface destination static obj-15.10.10.254 obj-192.168.10.1

For the destination address of 15.10.10.254, you can't NAT it to the inside interface ip address, however, you can NAT it to a unique ip address within the 192.168.10.0/24 subnet.

Hope that makes sense.

khayhuynh · ‎10-20-2010

It does make sense.

If I can't chose the interface as the nat address, and I have to choose another one in the LAN range (in your example, 192.168.10.1), how are the flows being routed to the Firewall? With the Proxy-ARP activated on the LAN interface, am I right?

Jennifer Halim · ‎10-20-2010

Absolutely correct, proxyarp needs to be enabled on LAN interface:

no sysopt noproxyarp inside

khayhuynh · ‎10-20-2010

Ok, many thanks for your help and quick answers!

Regards,