02-09-2019 10:54 AM - edited 03-03-2019 08:59 AM
Is it possible to nat traffic coming from a particular ip block to the ip address of the inside interface it egresses?
Ex. Say my source address block was 65.55.43.0/24 > 40.54.67.8 ( this is the public ip address that nats to 10.10.10.4).
In this example the 10.10.10.4 address is the ip address that ultimately is my destination . The gateway ( inside interface ip ) for this server is 10.10.10.1.
When my traffic egresses the inside interface going to the 10.10.10.4 address i want it to appear as if its source is 10.10.101 to the 10.10.10.4 address.
Can i do this on a context asa running asa version 9.8 asdm 7.9?
This would need to work for any address on the 10.10.10.0/24 block.
I also need he same thing to work when traffic from 65.55.43.0/24 going to anything on say 172.16.5.0/24.
02-10-2019 10:26 AM
Hi
What will work for 10.10.10.4 will also work for 172.16.5.0/24, the difference will be maybe the public IP used on ASA. I don't know your actual config and can't assume anything here but let me show you a way to achieve what you want focusing on 10.10.10.4.
Just to recap, you want everything coming from 65.55.43.0/24 to Public IP 40.54.67.8 is going to 10.10.10.4 but having the source IP translated into 10.10.101.0/24 subnet. Am i right?
object network IN-HOST
host 10.10.10.4
object network NAT-SRC-IP
subnet 10.10.101.0 255.255.255.0
object network SRC-IP
subnet 65.55.43.0 255.255.255.0
object network IFCE
host 40.54.67.8
!
nat (inside,outside) source static IN-HOST IFCE destination static NAT-SRC-IP SRC-IP no-proxy-arp
From an outside router:
outside#sh ip int brie | ex una
Interface IP-Address OK? Method Status Protocol
Loopback0 65.55.43.1 YES manual up up
outside#ping 40.54.67.8 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.54.67.8, timeout is 2 seconds:
Packet sent with a source address of 65.55.43.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
outside#
*Feb 10 18:25:33.720: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.722: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.724: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.725: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.726: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
outside#
On the inside router:
inside#
*Feb 10 18:25:33.719: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.722: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.723: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.724: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.725: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
As you can see the source is natted on 10.10.101.0/24 subnet.
Is that what you wanted?
I assume you already have acl on the outside to allow traffic from 65.55.43.0/24 to reach your 10.10.10.4 machine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide