Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
4
Replies

8.2 Destination NAT Configuration

Go to solution
bunjiega
Level 1
Level 1

‎02-17-2014 02:04 PM - edited ‎03-07-2019 06:15 PM

I cannot figure out how to NAT the destination field in the IP Packet. I have tried a few different things.

We have a server that needs to connect over a VPN to an IP that we currently have in-use. I have chosen the 192.168.13.x /24 network to use for NAT on the ASA.   (I would advertise the remote server as 192.168.13.10)

Untitled.png

10.1.40.10 needs to connect to 172.16.0.100 over the VPN and retain the source IP but change the destination ip from 192.168.13.10 to 172.16.0.100 once it passes through the ASA.

I figure some kind of policy-NAT that could translate the destination?

This is my guess but I know it is not right... It seems like this would change the source

access-list PNAT ex permit ip host 10.1.40.10 host 192.168.13.10

static (inside,outside) 172.16.0.100 access-list PNAT

Thank You!!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-17-2014 02:29 PM

Jeremy

Do you need policy NAT as the only time you go to that IP is down the VPN ? 

Can you try this -

static (outside, inside) 192.168.13.10 172.16.0.100 netmask 255.255.255.255

if you need policy NAT just create an acl for the specific traffic and tie it to the NAT statement.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-17-2014 02:29 PM

Jeremy

Do you need policy NAT as the only time you go to that IP is down the VPN ? 

Can you try this -

static (outside, inside) 192.168.13.10 172.16.0.100 netmask 255.255.255.255

if you need policy NAT just create an acl for the specific traffic and tie it to the NAT statement.

Jon

0 Helpful

Go to solution
bunjiega
Level 1
Level 1
In response to Jon Marshall

‎02-17-2014 03:11 PM

Hi John,

I thought policy NAT becuse I only wanted to  NAT that particulat flow. I didn't want to possibly break other VPN's that use this server, or break its other NAT configurations.

I just GNS3'd this up and I think it worked. I just am not sure how to write the ACL for the policy NAT.

I tried:

access-list PNAT extended permit ip host 172.16.0.100 host 10.1.40.10

static (OUT,IN) 192.168.13.10 access-list PNAT

This didn't work like I was hoping.

I'm not use to seing the outside come first: (outside,inside).

Thank You!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to bunjiega

‎02-17-2014 03:24 PM

Jeremy

To be honest i have only ever done this type of NAT from inside to outside so you may have to play around with the acl although i can't say for sure it will work as i have never tested it.

I only asked about whether you needed to use an acl because it is not the source IP you are translating but only the destination IP so the only time you ever go to that address from the inside is via the VPN.

Jon

0 Helpful

Go to solution
bunjiega
Level 1
Level 1

‎02-21-2014 03:59 PM

This did seem to work. I couldn't figure out how to add an ACL to make it more of a policy-nat.

I ended up asking the admin on the remote side to configure policy-NAT on his ASA and after he did that I didn't have to worry about doing NAT on my end.

Thanks!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card