Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
1
Replies

Destination NAT to vendor's network.

Chris M
Level 1
Level 1

‎08-12-2021 10:33 AM

Hi there,

 

I need to add destination NAT rules to my ASA 5505-x and I just want to make sure I'm on the right track here, and perhaps get some guidance. Please excuse my ignorance, I know enough networking to get me into trouble, but this is my first foray into NAT like this. First, a little background on my scenario:DNAT, NAT, Routing

 

I've got a client that hosts an ERP in a data center along with their firewall. Their network is set up in a hub and spoke configuration, everything goes through the data center. There's a whole bunch of apps on servers within the network that all point to this server at 10.0.0.10. We're migrating this to a cloud-hosted location and have a site-to-site VPN set up connecting us into the network in the vendor's data center - this part is confirmed working.

 

What I need to do now is DNAT all the traffic on the network (from various branch locations and client VPN users that passes through the ASA at our data center) being sent to 10.0.0.10 to 10.7.75.30 (the latter is the IP address that the server is going to live at). I am then assuming that I need a NAT rule that translates traffic from 10.7.75.30 to look like it's coming from 10.0.0.10. What would these NAT rules look like? Is there any configuration that needs to be done on the vendor's side?

 

Any guidance is greatly appreciated. I'd also be very interested in any websites, or other documentation that may be helpful for me to get this done too.

 

Thanks!

Labels:
0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎08-13-2021 01:57 AM

Hi there,

On the ASA look up Twice-NAT. You need to configure the ASA such that client/ vendor traffic arrives on the 'inside' interface. Create a source network object which is a summary of all incoming client/ vendor subnets. The NAT rule should match that source network object and for the destination NAT element of the rule it should specify the original and translated host network objects.

You will need to direct the vendor device in the DC send traffic destined to the 10.0.0.10 IP to the 'inside' interface of you ASA. If possible you may be able to advertise the 10.0.0.10/32 via an IGP to the vendor equipment to element the need to configured their equipment. The traffic would be NAT'd on ingress to the 'inside' interface and egress via 'dmz' with a translated destination address. The ASA config would look something like:

!
object network client_subnets
  subnet 10.0.0.0 255.255.0.0
!
object network host_x_orignal 
  host 10.0.0.10
!
object network host_x_translated  
  host 10.7.75.30
!  
nat (inside,dmz) source dynamic client_subnets interface destination static host_x_orginal host_x_translated  
!  
int eth1/1
 nameif inside
!
int eth1/2
 nameif dmz
!

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card