cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ASA 5500 static Destination NAT version 8.3 and above

14721
Views
3
Helpful
1
Comments

Cisco ASA 5500 static Destination NAT version 8.3 +

This document will explain the configuration for Destination NAT, required in some environment where the organization cannot use the destination IP inside the network.

In this configuration we will take three different subnet IP’s for explanation.

Inside user:                            192.168.0.10

Destination Server:                 172.16.1.100

NAT IP:                                     10.1.1.100

The user Bob (192.168.0.10) wants to connect to one of server which is outside campus network with ip 172.16.1.100, but he cannot connect because the subnet 172.16.x.x /24 is already been used inside the campus and network administrator cannot advertise this Server IP inside. For this reason network administrator asks Bob to use the ip 10.1.1.100 which is translated on the Cisco ASA to the Real IP address of Server (i.e 172.16.1.100).

Configuration:

Create object for Real Server IP and nat to the IP which will be used inside to access this server (Destination NAT)

Object network SERVER-IP-172.16.1.100

                host 172.16.1.100

                nat (outside,inside) static 10.1.1.100

Create object for inside IP nated to original Server IP.

Object network NATED-IP-10.1.1.100

                host 10.1.1.100

                nat (inside,outside) static 172.16.1.100

Create object for original source ip if one want to nat the Source IP

Object network USER-IP-192.168.0.10

                host 192.168.0.10

                nat (inside,outside) static (interface / Static IP / Dynamic IP)

Comments

so for Destination static nat to work should i create both these object-groups or will Object network SERVER-IP-172.16.1.100 do ?

Object network SERVER-IP-172.16.1.100

host 172.16.1.100

nat (outside,inside) static 10.1.1.100

Create object for inside IP nated to original Server IP.

Object network NATED-IP-10.1.1.100

host 10.1.1.100

nat (inside,outside) static 172.16.1.100

"Object network  NATED-IP-10.1.1.100" this one seems to be confusing which kind of translates to static(i,o)172.16.1.00 10.1.1.100 and makes no sense.

Create
Recognize Your Peers
Content for Community-Ad