Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2004
Views
5
Helpful
2
Replies

How to configure Policy NAT on ASA

yang yang
Level 1
Level 1

‎03-08-2018 02:24 AM - edited ‎03-05-2019 10:03 AM

HI all

    I have a nat problem on ASA. the structure is simple. nat inside source device to outside interface IP ( nat (inside, outside) source dynamic obj_192.166.168.9 interface) the reason use dynamic nat is because their is other devices need to access the internet as well. but I do know how to nat the destination IP when traffic starts from outside. please check the topology on attach. I have tried:

( nat (outside,outside) source static any any dest obj_30.30.30.10 obj_192.166.168.9 server dest_port_9443 dest_port_21

nat (outside,outside) source sta any obj_30.30.30.10 dest obj_30.30.30.10 obj_192.166.168.9 server dest_port_9443 dest_port_21

nat (outside,inside) source sta any obj_30.30.30.10 dest obj_30.30.30.10 obj_192.166.168.9 server dest_port_9443 dest_port_21

nat (outside,inside) source static any any dest obj_30.30.30.10 obj_192.166.168.9 server dest_port_9443 dest_port_21)

they all are not working. I know this requires policy nat but I have some trouble to apply policy on ASA 9.4. can anyone help on this?

 

Labels:
Preview file
18 KB
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎03-08-2018 04:53 AM

Hello,

 

I am not clear on what you are asking: 192.166.168.9 is your inside address, and 30.30.30.10 your outside address ? Try the below:

 

ASA(config)# object network FTP_NAT
ASA(config-network-object)# host 192.166.168.9
ASA(config-network-object)# nat (inside,outside) static 30.30.30.10 service tcp ftp ftp

yang yang
Level 1
Level 1
In response to Georg Pauwen

‎03-08-2018 07:40 PM

Hi Georg

  Thanks for your reply. previously I was thinking use dynamic nat from inside to outside(since another internal server is using that public IP address). Then apply another static or dynamic nat from outside to inside. but looks like when the user from outside to inside sending the package the traffic will catch by the first nat and will not fall down to the second nat. that is why I want to do two-way policy nat. this makes thing complicated and hard to solve even hit a limitation of the ASA interface cannot be reached by its own other connected interface subnet device.

   This morning when I wake up I have clear my idea. and you are right. that is the way. just do the static nat for a specific port from inside to outside will help in this situation. thank you.

all the best

yangyang

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card