02-01-2012 12:01 PM - edited 03-11-2019 03:22 PM
I want to configure a NAT Statement on a FWSM so that traffic initiated by an end user to a server with an IP Address of 10.20.x.x network will access it via a corresponding 10.60.x.x address. But, I want all communications initiated by the server to stay at its original IP Address.
Therefore I have a End User trying to access a server. User will type in 10.60.x.x, this hits the FWSM and changes the 10.60.x.x to 10.20.x.x
The return traffic will go back to the user as 10.60.x.x.
But, that server trying to access the internet, will source as 10.20.x.x and will continue its journey as 10.20.x.x
How is this configured? Would it be:
static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255
02-01-2012 12:12 PM
Hello Clayton,
If you do this:
static (inside,outside) 10.60.60.60 10.20.60.60 netmask 255.255.255.255
That would be a permanent static one to one translation so inbound an outbound connections from that server will be seeing at 10.60.60.60.
Regards,
Do rate helpful posts
Julio
02-01-2012 12:19 PM
Hello Clayton,
Now here is what you can try:
access-list NAT extended permit ip host 10.60.60.60 any
static (inside,outside) 10.20.60.60 10.20.60.60
static (inside,outside) 10.60.60.60 access-list NAT
That should do it!
Do rate all the helpful posts.
Julio
02-01-2012 12:39 PM
I am not sure if I am reading this correctly.
Would you want the ACL to be
access-list NAT extended permit ip any host 10.60.60.60 (for any user trying to access the server?)
Also for the "static (inside,outside) 10.60.60.60 access-list NAT"
Would you want it to read static (inside,outside) 10.20.60.60 access-list NAT (so that the traffic NAT's to the 10.20.60.60 address)
This would make the lines:
access-list NAT extended permit ip any host 10.60.60.60
static (inside,outside) 10.20.60.60 10.20.60.60
static (inside,outside) 10.20.60.60 access-list NAT
Also, if I can perform it in this manner, is "static (inside,outside) 10.20.60.60 10.20.60.60" needed?
The ACL is specifying direction, therefore it should not be hit if traffic is sourcing from 10.20.60.60
Or am I completely off base here?
Thanks,
Clayton
02-01-2012 12:58 PM
Hello Clayton,
You want the outside users to access 10.60.60.60 and get translated to 10.20.60.60
But you also want the user 10.20.60.60 to be natted or no-nated if he starts the connection.
This is not supported but we are doing a trick here to do it.
static (inside,outside) 10.20.60.60 access-list NAT is need it for outbound connections.
Static (inside,outside) 10.20.60.60 10.20.60.60 is need it for the inbound connections.
To test it.
Packet-tracer input inside tcp 10.20.60.60 1025 4.2.2.2 80
You should see here the NAT with the ACL.
Packet-tracer input outside tcp 4.2.2.2 1025 10.60.60.60 80
You should see the identity nat or No-nat.
Regards,
Julio
Do rate helpful posts!!
02-02-2012 07:19 AM
Would instead of having
static (inside,outside) 10.20.60.60 access-list NAT
could I instead have
nat (inside) 0 10.20.60.60 255.255.255.255 0 0
or would the first static take presidence over the generic?
Thanks again,
Clayton
02-02-2012 10:55 AM
Hello Clayton,
The Nat order on 8.2 is :
1. NAT exemption—In order, until the first match.
2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT
is included in this category.
3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of
the NAT rules does not matter; the NAT rule that best matches the real address is used. For example,
you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to
translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to
translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used
because it matches the real address best. We do not recommend using overlapping rules; they use
more memory and can slow the performance of the ASA.
Did you try it with the suggestions I sent you??
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide