Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
166
Views
0
Helpful
1
Replies

Upgrading to 9.1: Source NAT migration

rwt300044
Level 1
Level 1

‎08-21-2014 03:32 PM - edited ‎03-11-2019 09:39 PM

 

We are migrating to 9.1 and need to update our NAT config. I'm a bit confused about how to do Source Natting in 8.3+

 

Our Current setup translates the source IP to the inside interface address of the ASA:

SNAT IP: 10.0.0.1

Server: 10.0.0.2

 

 

global (inside) 2 10.0.0.1

nat (outside) 2 0.0.0.0 0.0.0.0 outside

nat (outside) 0 access-list 21

 

access-list 21 extended deny ip any host 10.0.0.2

access-list 21 extended permit ip any any

 

 

I've been at this for a while. Any thoughts?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎08-21-2014 04:21 PM

Hi,

 

So the above NAT configuration basically has a Dynamic PAT from "outside" to "inside" and it also has a NAT0 configuration for all traffic from "outside" to any other destination subnet/interface though it does have a line that prevents NAT0 when the destination IP address for a connection is 10.0.0.2

 

I guess in your situation you would be fine with just a single NAT configuration in the new software. You would configure a type of Dynamic Policy PAT configuration where the Dynamic PAT translation would be performed from "outside" to "inside" only if the destination IP address is 10.0.0.2.

 

For example

 

object network SERVER
 host 10.0.0.2

nat (outside,inside) after-auto 1 source dynamic any interface destination static SERVER SERVER

 

The above configuration would match traffic coming from behind "outside" interface from "any" source address and destined to destination address "SERVER" and the source address would be translated to the "interface" IP address which in this case is the IP address of the "inside" interface. You could use a different IP address and in that case you would configure an additional "object" and configure the IP address under that object and use that object in the "nat" configuration instead of the parameter "interface".

 

Any traffic that did not match the above NAT configuration would go through the firewall (if allowed by all the other configurations) without any NAT, so you dont really require a NAT0 configuration in this case.

 

Hope I made any sense and hope it helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card