09-24-2014 07:15 AM - edited 03-11-2019 09:49 PM
I have a business requirement that has traffic for an application going through firewall A and web traffic through firewall B. Due to specilized routing need for this application, if a user outside the network tries to access our public facing web servers we end up with the traffic entering firewall B and leaving firewall A, so asymmetric routing.
What I would like to do is bring in all traffic coming from 123.123.123.0/24 (outside) destined for 222.222.222.222 (NATed to 11.11.11.11 inside) and NAT it to those external address to 10.10.10.0/24.
I think that this is a twice NAT but haven't been able to follow the Cisco examples as they are taking a internal host and NATing them outbound, I'm looking to do the reverse.
09-24-2014 07:35 AM
Hi,
You did not mention the software version of your ASA. Twice NAT is easier and more common on the 8.3+ software levels.
So if I understood correctly the internal server should be NATed to 222.222.222.222 from the real IP address 11.11.11.11 and the external source subnet 123.123.123.0/24 should be NATed to 10.10.10.0/24 when connecting to the menioned NAT IP address of 222.222.222.222?
If so then the configuration in 8.3+ format could be
object network SERVER-REAL
host 11.11.11.11
object network SERVER-MAPPED
host 222.222.222.22
object network EXT-SUBNET-REAL
subnet 123.123.123.0 255.255.255.0
object network EXT-SUBNET-MAPPED
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source static SERVER-REAL SERVER-MAPPED destination static EXT-SUBNET-MAPPED EXT-SUBNET-REAL
Naturally the above "object" names are more meant to give you an idea of what purpose they hold. A better naming policy could surely be used. :)
The above NAT configuration would do a 1:1 Static NAT for the source addresses as the real and mapped subnet are of equal size. You could change this to Dynamic PAT if the actual situation holds different size subnets.
Hope this helps :)
- Jouni
09-24-2014 07:43 AM
We are currently running 8.4.2, this head cold is preventing me from remembering vital details today.
09-24-2014 07:46 AM
Hi,
In that case your ASA should support the above configuration format.
Naturally I don't know what the interfaces are called on your ASA. Also I personally like to look at the big picture especially when doing any special NAT configurations. Just so that I don't mess anything up :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide