Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
5
Helpful
2
Replies

NAT rule on ASA

Steve Berglund
Level 1
Level 1

‎03-08-2013 10:58 AM - edited ‎03-11-2019 06:11 PM

I have a lan to lan vpn set up between two ASAs. There is a host im using for testing on one end, and a server on the other. The host is 10.0.0.10 and the server is 123.123.123.123 (ip is public. doesnt matter what the real one is). This server needs to see any incoming traffic from host like it's coming from a different public ip. We'll call that public ip 122.122.122.122. i need to make a rule that will translate all traffic from 10.0.0.10 to 122.122.122.122 when connecting to 123.123.123.123. Can anyone help with that?

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-08-2013 11:12 AM

Hi,

The configuration naturally depends on

  • Your used ASA software version
  • Your existing NAT configuration (current rule might override the new rule)

For ASA software 8.2 and below

access-list POLICY-NAT permit ip host 10.0.0.10 host 123.123.123.123

global (outside) 122 122.122.122.122

nat (inside) 122 access-list POLICY-NAT

OR

access-list POLICY-NAT permit ip host 10.0.0.10 host 123.123.123.123

static (inside,outside) 122.122.122.122 access-list POLICY-NAT

Second option might even be better for a single source host. If you need to map multiple hosts behind the single NAT IP then you would use the first option with multiple IP addresses or a network(s) as source in the ACL.

For ASA software 8.3 and after

object network HOST-LOCAL

host 10.0.0.10

object network HOST-MAPPED

host 122.122.122.122

object network HOST-REMOTE

host 123.123.123.123

nat (inside,outside) source static HOST-LOCAL HOST-MAPPED destination static HOST-REMOTE HOST-REMOTE

Both configurations

Hope this helps Please rate and/or mark the question as answered if so.

Naturally ask more if needed.

- Jouni

Steve Berglund
Level 1
Level 1
In response to Jouni Forss

‎03-08-2013 12:49 PM

Thanks for the reply, and i'm sure that would have worked if this situation was possible. Without divulging too much inforamtion on this, since it is for a customer, the way their network is set up and with the secuity measures on the network these servers are on, the solution the customer was purposing will just not work.

thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card