Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
4
Replies

Outbound PAT based on destination address

Go to solution
gladecreek
Level 1
Level 1

‎02-16-2018 03:06 PM - edited ‎02-21-2020 07:22 AM

I have two VPN tunnels to distinct external entities.  Each entity only allows traffic from a specific IP address.  I need to use a single NAT/PAT address for traffic through tunnel 1 and a different NAT/PAT address for traffic through tunnel 2.

 

Entity 1 expects all user traffic to come from 65.72.34.2

Entity 2 expects all user traffic to come from 65.72.34.3

 

In ASA 8.2, I would do this with NAT / Global statement pairs, but I can't figure out to do this in 9.4.  Can I use an ACL for outbound PAT?  If so, what would the syntax look like?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎02-17-2018 09:00 PM

Hello,

 

The syntax looks like below. It will PAT the source network test-src to obj-65.72.34.2 when accessing the remote subnet test-dest

 

object network obj-65.72.34.2
host 65.72.34.2

 

nat (inside,outside) source dynamic test-src obj-65.72.34.2 destination static test-dest test-dest

 

test-src object is your source network that needs to access test-dest object network on remote side

Please note that using this you can only initiate the traffic from src to dest side because we are PATting the source to a single ip address and by logic it will be unidirectional. 

 

For more NAT on 8.3 onwards:

https://supportforums.cisco.com/t5/security-documents/asa-8-3-upgrade-what-you-need-to-know/ta-p/3127078#toc-hId--1214137034

 

HTH
AJ

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-17-2018 12:01 AM

Ypu need to use twice nat in 9.4 to achieve what you are looking for
0 Helpful

Go to solution
gladecreek
Level 1
Level 1
In response to Mohammed al Baqari

‎02-17-2018 12:54 PM

Do you mean by specifying both a source keyword and destination within the same nat statement? If so, where in that statement is the nat’ed address specified? Could you give me an example?
0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7

‎02-17-2018 09:00 PM

Hello,

 

The syntax looks like below. It will PAT the source network test-src to obj-65.72.34.2 when accessing the remote subnet test-dest

 

object network obj-65.72.34.2
host 65.72.34.2

 

nat (inside,outside) source dynamic test-src obj-65.72.34.2 destination static test-dest test-dest

 

test-src object is your source network that needs to access test-dest object network on remote side

Please note that using this you can only initiate the traffic from src to dest side because we are PATting the source to a single ip address and by logic it will be unidirectional. 

 

For more NAT on 8.3 onwards:

https://supportforums.cisco.com/t5/security-documents/asa-8-3-upgrade-what-you-need-to-know/ta-p/3127078#toc-hId--1214137034

 

HTH
AJ

0 Helpful

Go to solution
gladecreek
Level 1
Level 1
In response to Ajay Saini

‎02-27-2018 10:15 AM

Thanks, Ajay.  That's exactly what we needed to get it working.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card