10-28-2010 11:51 AM - edited 03-11-2019 12:01 PM
Hi,
We need to change the source and destination address of a packet in a single travel.
For example :
F/w : outside : 10.1.1.1 /24 ( subnet )
F/w ; inside : 192.168.1.1 /24 ( subnet )
Requirement is :
If packet with source IP : 192.100.100.1 and destination IP : 10.1.1.50 arrives on the firewall outside interface.
Can we static- NAT it's source and destination both IP and send the packet towards inside interface. .
So this packet source will be : 192.168.1.50 ( same as of inside subnet) and target will be 172.30.1.1. This packet will exit inside interface.
Original Packet ----------> arrived on outside i/f -------> Translated Packet
source IP - 192.100.100.1 Static rules applied source IP = 192.168.1.50 ( same as inside subnet)
Dest IP : - 10.1.1.50 Destination = 172.168.1.1
( same as outside subnet)
When packet returns ( it arrives on inside interface )
Returning packet -----------------> arrives on inside interface -----------> Translated and exits towards outside
source IP = 172.30.1.1 static-NAT source = 10.1.1.50
Destination = 192.168.1.50 Destination = 192.100.100.1
If we configure corresponding static NAt rules will it work or it will give error. Corresponding permit access list and routing is in place.
Please share the experience.
Thanks
Subodh
10-28-2010 07:03 PM
Hi Subodh,
What is the code you are running on the ASA ?
Thanks,
Namit
10-28-2010 07:30 PM
Pre 8.3 nat:
static (inside,outside) 10.1.1.50 172.30.1.1
static (outside,inside) 192.168.1.50 192.100.100.1
8.3 nat:
object network ouside_real
host 192.100.100.1
object network inside_real
host 172.30.1.1
object network inside_mapped
host 10.1.1.50
object network outside_mapped
host 192.168.1.50
nat (inside,outside) source static inside_real inside_mapped destination static outside_mapped outside_real
refer this link: https://supportforums.cisco.com/docs/DOC-9129
-KS
10-28-2010 09:23 PM
Hello
Yup, it has been tested. At least in my experience in Nat previous 8.3 it works fine and Sankar is explaining. Of course, this will need to be done with Static Nat.
If you have any kind of error messages or something is not working please feel to post your questions.
Cheers
Mike.
10-29-2010 06:51 AM
Thanks Guys for info. I need to put these on the actual firewall and see if it works as expected.
Changing the source and destination IP address of the same packet in a single (entry and exit).
10-29-2010 10:38 AM
Hello,
Sounds great, just let us know if you run into any problems.
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide