Re: Need to NAT Addresses to Inside Servers

jeff6strings · ‎07-08-2012

Hopefully this is the correct group to post this question, if it should be in the VPN group i can post there.

We are going to setup a L2L VPN with a vendor and they asked us to NAT a couple IP addresses for remote access to a couple of servers on our inside network. Our device is an ASA 5580 with version 8.1 and we have a handfull of public IP addresses for use if needed.

The vendor's remote network is a public IP address but for this posting I will use 192.168.10.0. Our inside servers are 10.100.10.20 and 10.100.10.30. Because 10.100.10 is in use with another customer they asked us to NAT 10.77.97.20 and 10.77.97.30 to the two inside servers. I'm comfortable with the VPN setttings but I would appreciate guidance with the NAT configuration.

Thanks in advance.

Jeff

Guillermo Araya Sevilla · ‎07-08-2012

HI

You need to know the port that you need to NAT.

The the config mode

ip nat inside sourcer static PROTOCOL (TCP, udp, etc) IP_destination PORT#Destination interface SOURCE Port#External

Example:

ip nat inside source static udp 172.17.128.11 21 interface ATM0.1 21

Hope this helps!

Best Regards.

Karsten Iwen · ‎07-08-2012

For this setup you need to configure policy NAT. With that, the translation is depending on the remote Network.

1) Configure an ACL describing the communication that has to be NATted (10.100.10.20 and 10.100.10.30 to the customer-network)

2) In your nat or static statement (static if the remote end needs to establish sessins to the server, nat if only your server establishes the connection) you use that ACL to restrict the NAT to only the defined communication.

The exact configuration is explained in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/cfgnat.html#wp1042553

Sent from Cisco Technical Support iPad App