Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
4
Replies

NAT solution

mynetwork014
Level 1
Level 1

‎04-06-2016 01:41 PM - edited ‎03-12-2019 12:35 AM

Hi,

PFA, I need to add inside network 192.168.1.100-110(10 host)  of ASA1 into DMZ(10.20.1.100) of ASA2 for application. 

is it possible to achieve it using NAT on ASA1 firewall.

Please help me to write NAT configuration on firewall.

Labels:
Preview file
31 KB
0 Helpful
4 Replies 4

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee

‎04-06-2016 02:10 PM

Hello...

ASA1 should first know how to get into DMZ network behind ASA2. If you already have this routing properly, and want your source to keep as original, you can use twice NAT as follows:

ASA1 config

object-group network obj_192.168.1.100-110

 network-object host 192.168.1.100

... (add all hosts on the range you want)

 network-object host 192.168.1.110

!

object network obj_10.20.1.100_DMZ

 host 10.20.1.100

!

nat (inside,outside) source static obj_192.168.1.100-110 obj_192.168.1.100-110 destination static obj_10.20.1.100_DMZ obj_10.20.1.100_DMZ

ASA2 config:

object-group network obj_192.168.1.100-110

 network-object host 192.168.1.100

... (add all hosts on the range you want)

 network-object host 192.168.1.110

!

object network obj_10.20.1.100_DMZ

 host 10.20.1.100

!

nat (inside,DMZ) source static obj_192.168.1.100-110 obj_192.168.1.100-110 destination static obj_10.20.1.100_DMZ obj_10.20.1.100_DMZ

Let me know if it helps. If needed, attach your configs.

Cheers!

0 Helpful

mynetwork014
Level 1
Level 1
In response to Sergio Ceron Ramirez

‎04-09-2016 12:39 PM

Thanks for explanation.

I will inform you once i do with this configuration.

0 Helpful

Sergio Ceron Ramirez
Cisco Employee
Cisco Employee
In response to mynetwork014

‎05-18-2016 12:07 PM

Did you get it working?

0 Helpful

kkhapeka
Cisco Employee
Cisco Employee

‎04-07-2016 07:36 PM

Here I am considering that you want to translate 192,169.1.100-110 range of IP address into 10.20.1.100-110 raneg if IP addresses so that application existing in subnet 10.20.1.0/24 can access network behind ASA-1 as their local network.

NAT configuration :-

ASA-1>>

object network obj-192.168.1.100-110
 range 192.168.1.100 192.168.1.110
object network obj-10.20.1.100-110
 range 10.20.1.100 10.20.1.110

nat (outside,inside) source static any any destination static obj-10.20.1.100-110 obj-192.168.1.100-110

ASA-2>>

object network obj-10.20.1.100-110
 range 10.20.1.100 10.20.1.110
object network obj-192.168.1.100-110
 range 192.168.1.100 192.168.1.110

nat (inside,outside) source static any any destination static obj-10.20.1.100-110 obj-192.168.1.100-110

--------END OF CONFIGURATION----------

As per the above natting configuration, application located in ASA-2 network will be able to access 192.168.1.100-110 network located in ASA-1 network through local subnet of 10.20.1.100-110.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card