Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
1
Replies

NAT Interface Outside in Cisco ASA 8.3 above

fara.rhea
Level 1
Level 1

‎03-05-2013 05:46 AM - edited ‎03-11-2019 06:10 PM

Guys,

Do you have any experience with "NAT outside interface" in Cisco ASA 8.3 above ?

I have a problem

I want to do NAt-ing like this :

InsideY.Y.2.14X.X.2.66
DMZ-10X.X.2.11X.X.2.66

I have interface outside with ip address X.X.2.66, i want to do NAT in traffic from Zone inside with ip address Y.Y.2.14 to ANY, i want to change that traffic to X.X.2.66 and i want to do NAT traffic from Zone DMZ-10 ip address X.X.2.11 to ANY i want to change that traffc to X.X.2.66.

I do this configuration :

nat (DMZ-10,outside) source static X.X.2.11 interface

&

nat (inside,outside) source static X.X.2.11 interface

this configuration work, the traffic from Zone inside (X.X.2.11) and Zone DMZ-10 (X.X.2.14) will be NAT to X.X.2.66 with warning message like this :

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users may not be able to access any service enabled on the outside interface.

But now i can't access ip X.X.2.66 from outside.

Is there any correct configuration to do NAT in interface ? Because i want to access interface outside from outside network ?

BR

Fara

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎03-05-2013 05:53 AM

Hi,

If you want to PAT the traffic from the 2 source hosts behind 2 different interfaces to the "outside" interface IP address then you can use the following configurations

object-group network PAT-SOURCE-ADDRESS

network-object host y.y.2.14

network-object host x.x.2.11

nat (any,outside) after-auto source dynamic PAT-SOURCE-ADDRESS interface

The above configurations is meant to

  • Allow the 2 source hosts to access Internet using the public IP address of the "outside" interface of the ASA
  • If you want to add a whole network or more hosts to be NATed to the same public IP address you can simply add those under the "object-group" we created.

The reason why you have problems with access to ASA is that you statictly bind the whole public IP address to be used by a single LAN host

EDIT: Notice that you have to remove the NAT configuration you made and mentioned in your original post.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card