03-08-2009 07:09 AM - edited 03-11-2019 08:01 AM
Hi Experts,
One of my connectivity project i am working on requires traffic flowing through the ASA to reach the server sitting behind the ASA. However, the source of the traffic has IP address in the Private IP ranges. As our organization also uses similar IP address range for internal connectivity, i have to do many to one translation of the sources.
Appreciate if I could get insight on how to achieve this in ASA.
03-08-2009 07:29 AM
Source addresses = 172.16.5.0/24
nat (outside) 1 172.16.5.0 255.255.255.0 outside
global (inside) 1 interface
Note you can choose any IP address to NAT the source addresses to but from within your network it must be routed to the inside interface of the ASA. So instead of
global (inside) 1 interface
you could use
global (inside) 1 192.168.5.10
your internal network devices would then have to route 192.168.5.10 back to the inside interface of the ASA.
Jon
03-09-2009 12:04 AM
Hi Jon,
thanks for your reply to this thread...that cleared my doubt too...
is it also possible to use policy based NAT in this scenario... say i have three different subnets as source
source1 = 10.0.0.0/8
source2 = 172.16.0.0/16
source3 = 172.28.0.0/16
destination = 192.168.1.254
NAT IP = 192.168.1.50
i create an object group in ASA
object-group network InBoundAccess
network 10.0.0.0 255.0.0.0
network 172.16.0.0 255.255.0.0
network 172.28.0.0 255.255.0.0
i then apply a policy like this
access-list inboundaccess extended permit ip object-group InBoundAccess host 192.168.1.254
i use this policy to do the NAT like this..
nat (outside) 1 access-list inboundaccess
global (inside) 1 192.168.1.50 netmask 255.255.255.255
i add appropriate routes for 192.168.1.50 in my internal network devices...
will this help?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide