nat internet traffic to inside interface IP address

lkadlik · ‎02-09-2019

Is it possible to nat traffic coming from a particular ip block to the ip address of the inside interface it egresses?

Ex. Say my source address block was 65.55.43.0/24 > 40.54.67.8 ( this is the public ip address that nats to 10.10.10.4).

In this example the 10.10.10.4 address is the ip address that ultimately is my destination . The gateway ( inside interface ip ) for this server is 10.10.10.1.

When my traffic egresses the inside interface going to the 10.10.10.4 address i want it to appear as if its source is 10.10.101 to the 10.10.10.4 address.

Can i do this on a context asa running asa version 9.8 asdm 7.9?

This would need to work for any address on the 10.10.10.0/24 block.

I also need he same thing to work when traffic from 65.55.43.0/24 going to anything on say 172.16.5.0/24.

Francesco Molino · ‎02-10-2019

Hi

What will work for 10.10.10.4 will also work for 172.16.5.0/24, the difference will be maybe the public IP used on ASA. I don't know your actual config and can't assume anything here but let me show you a way to achieve what you want focusing on 10.10.10.4.

Just to recap, you want everything coming from 65.55.43.0/24 to Public IP 40.54.67.8 is going to 10.10.10.4 but having the source IP translated into 10.10.101.0/24 subnet. Am i right?

object network IN-HOST
host 10.10.10.4
object network NAT-SRC-IP
subnet 10.10.101.0 255.255.255.0
object network SRC-IP
subnet 65.55.43.0 255.255.255.0
object network IFCE
host 40.54.67.8

!

nat (inside,outside) source static IN-HOST IFCE destination static NAT-SRC-IP SRC-IP no-proxy-arp

From an outside router:

outside#sh ip int brie | ex una
Interface IP-Address OK? Method Status Protocol
Loopback0 65.55.43.1 YES manual up up

outside#ping 40.54.67.8 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.54.67.8, timeout is 2 seconds:
Packet sent with a source address of 65.55.43.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
outside#
*Feb 10 18:25:33.720: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.722: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.724: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.725: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.726: ICMP: echo reply rcvd, src 40.54.67.8, dst 65.55.43.1, topology BASE, dscp 0 topoid 0
outside#

On the inside router:

inside#
*Feb 10 18:25:33.719: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.722: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.723: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.724: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0
*Feb 10 18:25:33.725: ICMP: echo reply sent, src 10.10.10.4, dst 10.10.101.1, topology BASE, dscp 0 topoid 0

As you can see the source is natted on 10.10.101.0/24 subnet.

Is that what you wanted?

I assume you already have acl on the outside to allow traffic from 65.55.43.0/24 to reach your 10.10.10.4 machine.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question