Solved: Hi christians1,

christians1 · ‎02-23-2016

Hello,

I have a simple config on a cisco asa. It has an outside, inside and another interface called "Core"

When traffic from the inside goes out the outside int. its nat'd to the outside interface to a public IP.

nat (inside,outside) after-auto source dynamic any interface

I want to do something similar with traffic that comes from the inside and when it needs to talk to a network out the Core interface.. I want it to be nat'd to a specific IP address.

something like this..

nat (core,outside) after-auto source 10.100.10.10

Can I do something like this.. and are my nat commands correct?

thanks for any help!

Dinesh Moudgil · ‎02-23-2016

Hi christians1,

"I want to do something similar with traffic that comes from the inside and when it needs to talk to a network out the Core interface."

Lets suppose you want all the users in inside to be natted to 1.1.1.1 when they talk to 20.20.20.0 off of core interface. So the config looks like:

object network host_1.1.1.1
host 1.1.1.1

object network sub_20.20.20.0
subnet 20.20.20.0 255.255.255.0

nat (inside,core) source dynamic any host_1.1.1.1 destination static sub_20.20.20.0 sub_20.20.20.0

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎02-23-2016

Hi christians1,

"I want to do something similar with traffic that comes from the inside and when it needs to talk to a network out the Core interface."

Lets suppose you want all the users in inside to be natted to 1.1.1.1 when they talk to 20.20.20.0 off of core interface. So the config looks like:

object network host_1.1.1.1
host 1.1.1.1

object network sub_20.20.20.0
subnet 20.20.20.0 255.255.255.0

nat (inside,core) source dynamic any host_1.1.1.1 destination static sub_20.20.20.0 sub_20.20.20.0

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

christians1 · ‎02-24-2016

Hi Perfect. Thanks.

This will have no affect on that same source traffic when it traverses out the outside interface correct?

Thanks

Dinesh Moudgil · ‎02-24-2016

This wont affect other traffic since we are defining that this nat be applied only if the destination is 20.20.20.0/24 that too off of core interface.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

christians1 · ‎02-26-2016

Hey thanks for the help. Everything is in but it doesn't look like its being translated.

act/firewall1# sho nat translated interface CORE
Manual NAT Policies (Section 1)
1 (inside) to (CORE) source dynamic any host_10.88.116.6 destination static Net_10.91.248.112_28 Net_10.91.248.112_28
translate_hits = 0, untranslate_hits = 10

would it be easier if I just nat it to the CORE interface IP instead of an actual IP?

Thanks.

christians1 · ‎03-09-2016

Thanks!! everything worked great.

Dinesh Moudgil · ‎03-09-2016

Glad to help you !

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

nat question