Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
2
Replies

question about using Static Policy NAT on ASA 8.2.

Go to solution
laerciotobias
Level 1
Level 1

‎07-07-2011 04:36 PM - edited ‎03-11-2019 01:56 PM

Hi all,

my question is very simple.

lets assume i am doind a policy NAT on the folowing scenarion.

acess-list policy_nat extended permit ip host 10.0.0.1 host 192.168.1.1

static (inside,outempresa) 170.66.53.1  access-list policy_nat

I understand that when host A 10.0.0.1 wants to connect to host B192.168.1.1 its going to be translated to 170.66.53.1

my question is:

when host  192.168.1.1 wants to connect to10.0.0.1  the same entry will change the destination when the packet hits the asa from 170.66.53.1  to 10.0.0.1, is that correct ?

Thanl you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2011 07:16 PM

The static NAT statement is bi-directional.

When host 10.0.0.1 wants to access 192.168.1.1, host 10.0.0.1 will be translated to 170.66.53.1.

When host 192.168.1.1 wants to access 10.0.0.1, host 192.168.1.1 needs to access it with 170.66.53.1 ip address instead of 10.0.0.1. Once the packet arrives on the ASA, 170.66.53.1 will get translated back to 10.0.0.1 so the traffic from 192.168.1.1 will arrive at 10.0.0.1.

Hope that answers your question.

View solution in original post

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Jennifer Halim

‎07-07-2011 07:39 PM

Yes it would be the same for return traffic as well, the internal users would send a request for 170.66.53.1 which wou;ld be untranslated to its private ip. The best way to check the flow of the packet is to use a packet-tracer:

packet-tracer input outempresa 10.0.0.1 2345 192.168.1.1 443 detailed

here's the command reference for it:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/p.html#wp1913020

if the 10.0.0.1 is on the outempresa and 192.168.1.1 lies on the inside, then this would give you how the packet and return traffic are processes by the firewall.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2011 07:16 PM

The static NAT statement is bi-directional.

When host 10.0.0.1 wants to access 192.168.1.1, host 10.0.0.1 will be translated to 170.66.53.1.

When host 192.168.1.1 wants to access 10.0.0.1, host 192.168.1.1 needs to access it with 170.66.53.1 ip address instead of 10.0.0.1. Once the packet arrives on the ASA, 170.66.53.1 will get translated back to 10.0.0.1 so the traffic from 192.168.1.1 will arrive at 10.0.0.1.

Hope that answers your question.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Jennifer Halim

‎07-07-2011 07:39 PM

Yes it would be the same for return traffic as well, the internal users would send a request for 170.66.53.1 which wou;ld be untranslated to its private ip. The best way to check the flow of the packet is to use a packet-tracer:

packet-tracer input outempresa 10.0.0.1 2345 192.168.1.1 443 detailed

here's the command reference for it:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/p.html#wp1913020

if the 10.0.0.1 is on the outempresa and 192.168.1.1 lies on the inside, then this would give you how the packet and return traffic are processes by the firewall.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card