cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1280
Views
15
Helpful
6
Replies

One Direction NAT on FWSM

I want to configure a NAT Statement on a FWSM so that traffic initiated by an end user to a server with an IP Address of 10.20.x.x network will access it via a corresponding 10.60.x.x address.  But, I want all communications initiated by the server to stay at its original IP Address.

Therefore I have a End User trying to access a server.  User will type in 10.60.x.x, this hits the FWSM and changes the 10.60.x.x to 10.20.x.x

The return traffic will go back to the user as 10.60.x.x.

But, that server trying to access the internet, will source as 10.20.x.x and will continue its journey as 10.20.x.x

How is this configured?  Would it be:

static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Clayton,

If you do this:

static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255

That would be a permanent static one to one translation so inbound an outbound connections from that server will be seeing at 10.60.60.60.

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Clayton,

Now here is what you can try:

access-list NAT  extended permit ip host 10.60.60.60 any

static (inside,outside) 10.20.60.60 10.20.60.60

static (inside,outside) 10.60.60.60 access-list NAT

That should do it!

Do rate all the helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I am not sure if I am reading this correctly.

Would you want the ACL to be

     access-list NAT extended permit ip any host 10.60.60.60     (for any user trying to access the server?)

Also for the  "static (inside,outside) 10.60.60.60 access-list NAT"

     Would you want it to read static (inside,outside) 10.20.60.60 access-list NAT  (so that the traffic NAT's to the 10.20.60.60 address)

This would make the lines:

     access-list NAT extended permit ip any host 10.60.60.60

     static (inside,outside) 10.20.60.60 10.20.60.60

     static (inside,outside) 10.20.60.60 access-list NAT

Also, if I can perform it in this manner, is "static (inside,outside) 10.20.60.60 10.20.60.60" needed? 

The ACL is specifying direction, therefore it should not be hit if traffic is sourcing from 10.20.60.60

Or am I completely off base here?

Thanks,

Clayton

Hello Clayton,

You want the outside users to access 10.60.60.60 and get translated to 10.20.60.60

But you also want the user 10.20.60.60 to be natted or no-nated if he starts the connection.

This is not supported but we are doing a trick here to do it.

static (inside,outside) 10.20.60.60 access-list NAT is need it for outbound connections.

Static (inside,outside) 10.20.60.60 10.20.60.60 is need it for the inbound connections.

To test it.

Packet-tracer input inside tcp 10.20.60.60 1025 4.2.2.2 80

You should see here the NAT with the ACL.

Packet-tracer input outside tcp 4.2.2.2 1025 10.60.60.60 80

You should see the identity nat or No-nat.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Would instead of having

static (inside,outside) 10.20.60.60 access-list NAT

could I instead have

nat (inside) 0 10.20.60.60 255.255.255.255 0 0

or would the first static take presidence over the generic?

Thanks again,

Clayton

Hello Clayton,

The Nat order on 8.2 is :

1. NAT exemption—In order, until the first match.

2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT

is included in this category.

3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of

the NAT rules does not matter; the NAT rule that best matches the real address is used. For example,

you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to

translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to

translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used

because it matches the real address best. We do not recommend using overlapping rules; they use

more memory and can slow the performance of the ASA.

Did you try it with the suggestions I sent you??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card