Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
2
Replies

Static and dynamic nat together

Go to solution
giuseppe parlato
Level 1
Level 1

‎07-28-2014 03:39 AM - edited ‎03-11-2019 09:32 PM

Hello, let me ask you if it is possible..

I have the following right now :

nat (dmz,ext) source static obj-192.168.15.87 obj-172.31.22.55 destination static obj-172.20.22.0

..so network 172.20.22.0/24 can connect to 192.168.15.87 through nat 172.31.22.55

Now.. I would need a second nat, which would be dynamic nat, so that 172.20.22.0/24 would be dynamically patted to ip 192.168.15.66 outbound from dmz interface. It means that server 192.168.15.87 will see connections not from real network 172.20.22.0/24 but from 192.168.15.66/32. Is that possible or does it create problems having a static and a dynamic nat on the same firewall ? I cannot test it unfortunately.

 

Thank you 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-28-2014 06:35 AM

Hi,

 

I always like to look at the current NAT configuration before adding anything new. In your case I guess would need to configure the "nat" command a bit differently if you wanted to combine both the Dynamic PAT and the Static NAT into the same command.

 

Something like this

 

nat (ext,dmz) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The above configuration should match connections coming from behind "ext" interface from source network 172.20.22.0/24 towards the NAT IP address of 172.31.22.55 to the "dmz" after which the destination IP address 172.31.22.55 would be UN-NATed to 192.168.15.87 and the source IP address 172.20.22.x would be PATed to 192.168.15.66

 

I did a brief test on my home ASA with the following configuration

object network obj-172.20.22.0
 subnet 172.20.22.0 255.255.255.0
object network obj-192.168.15.66
 host 192.168.15.66
object network obj-192.168.15.87
 host 192.168.15.87
object network obj-172.31.22.55
 host 172.31.22.55

nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The "packet-tracer" test seems to match this configuration and does the translations. Here are the NAT phases from the output.

 

The command used was

packet-tracer input WAN tcp 172.20.22.100 12345 172.31.22.55 80

 

In my configuration "WAN" corresponds "ext" and "LAN" corresponds to "dmz"

 

 

UN-NAT of the destination IP

 

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
NAT divert to egress interface LAN
Untranslate 172.31.22.55/80 to 192.168.15.87/80

 

NAT of the source IP address

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
Dynamic translate 172.20.22.100/12345 to 192.168.15.66/12345

 

Hope this helps :)

 

- Jouni

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-28-2014 06:35 AM

Hi,

 

I always like to look at the current NAT configuration before adding anything new. In your case I guess would need to configure the "nat" command a bit differently if you wanted to combine both the Dynamic PAT and the Static NAT into the same command.

 

Something like this

 

nat (ext,dmz) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The above configuration should match connections coming from behind "ext" interface from source network 172.20.22.0/24 towards the NAT IP address of 172.31.22.55 to the "dmz" after which the destination IP address 172.31.22.55 would be UN-NATed to 192.168.15.87 and the source IP address 172.20.22.x would be PATed to 192.168.15.66

 

I did a brief test on my home ASA with the following configuration

object network obj-172.20.22.0
 subnet 172.20.22.0 255.255.255.0
object network obj-192.168.15.66
 host 192.168.15.66
object network obj-192.168.15.87
 host 192.168.15.87
object network obj-172.31.22.55
 host 172.31.22.55

nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The "packet-tracer" test seems to match this configuration and does the translations. Here are the NAT phases from the output.

 

The command used was

packet-tracer input WAN tcp 172.20.22.100 12345 172.31.22.55 80

 

In my configuration "WAN" corresponds "ext" and "LAN" corresponds to "dmz"

 

 

UN-NAT of the destination IP

 

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
NAT divert to egress interface LAN
Untranslate 172.31.22.55/80 to 192.168.15.87/80

 

NAT of the source IP address

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
Dynamic translate 172.20.22.100/12345 to 192.168.15.66/12345

 

Hope this helps :)

 

- Jouni

 

0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1

‎07-30-2014 07:41 AM

It seems to be working in a test environment!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card