09-04-2011 09:42 AM - last edited on 03-25-2019 05:47 PM by ciscomoderator
Hi Everyone!
I have a question about NAT on ASA firewall. I have a host coming from outside with IP address 10.0.0.10 to my inside network host with IP address 192.168.0.10
I need outside host's IP address(10.0.0.10) to be translated to 192.168.0.11 when it's packets are crossing interface inside.
Can someome please give me a clue on how to do that? I run ASA 8.3
Thanks.
09-04-2011 12:04 PM
Hi,
You would need the following nat config for it:
object network outside_network
host 10.0.0.10
object network outside_natted_ip
host 192.168.0.11
object network inside_network
host 192.168.0.10
nat (outside,inside) source static outside_network outside_natted_ip destination static inside_network inside_network
This should solve the purpose that you are trying to achieve
Hope this helps.
Thanks,
Varun
09-05-2011 06:50 AM
Hi Varun,
thank you for your reply. I am wondering if above will work after VPN tunnel. I.e. 10.0.0.10 will be the host which comes from outside but thru L2L VPN tunnel? Currently I have another nat statement on my ASA in order to get things working with VPN as follows:
object-group network ASA2_LAN
network-object 10.0.0.0 255.255.255.0
object-group network ASA1_LAN
network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN
I am wondering if I just can add your configuration as you put it above without changing my current NAT statements.
And again I need to translate just one host which is 10.0.0.10 which is going to be coming in from outside but thru VPN tunnel
Thanks!
09-05-2011 07:03 AM
Hi,
Yes you can add the nat statement for the specific host as well, but it should be above the nat that you have for the complete network, since nat order of preference in 8.4 is top to bottom, therefore more specific nats should be on top. Apart from that, if its a site to site vpn you wouls also need a crypto acl for the natted ip of the host.
Thanks,
Varun
09-06-2011 03:34 PM
Thank you Varun.
I did as you said, and I didn't even need
nat (inside,outside) source static ASA2_LAN ASA2_LAN destination static ASA1_LAN ASA1_LAN
for packets coming from the remote ASA to be translated properly.
I did only
object network outside_network
host 10.0.0.10
object network outside_natted_ip
host 192.168.0.11
object network inside_network
host 192.168.0.10
nat (outside,inside) source static outside_network outside_natted_ip destination static inside_network inside_network
I have also applied crypto map and everything looks to be good.
I can ping from remote side firewall (VPN initiator) my local LAN host which is behind my ASA and it looks like the tunnel is working.
The only thing I am unsure about is that when I ping from remote side host on my local lan and I do "sh crypto ipsec sa"
I see below, and they are counting with each ping, which means that packets are being received and sent over the tunnel
#pkts encaps: 15711, #pkts encrypt: 15711, #pkts digest: 15711
#pkts decaps: 15740, #pkts decrypt: 15740, #pkts verify: 15740
but when I do "show access-list cryptointerested" which defines my crypto intersted local lan ip addresses(source) to remote lan(destination)
hits are not counting up.
Although ping is working, I am wondering if "show access-list cryptointerested" on my ASA should be counting when I send ping from remote ASA and remote ASA is tunnel initiator. I am not supposed to initiate tunnel from my side.
Will appreciate your clarification.
Thx.
09-07-2011 04:11 AM
Most interested if access-list counter hits on my side should be increasing while pinging over the tunnel from a host behind remote firewall...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide