Migrate iptables rules to asa5505

santiagohoyos · ‎09-11-2013

Hi,

I have a custumer that they have a Linux firewall with iptables and like to migrate it to asa5505.

The problem is a no tipical Dnat that it running in prerouting.

This Dnat change the detination ip according the net from and port at the packages.

This packages come to server from a VPN in IpSEC, and the moment it arrive the firewall chage after it go in at routing tables.

I need to change the IP at prerouting momento becouse the original destinaiton IP is a IP in the firewall and we need that the package go to a server in a LAN.

I hope the next graphics explain any more :

VPN IpSec LAN

VPN <-------------------------------------->FW Linux IP:192.168.5.20 <---------------------------------------> Server IP:192.168.10.20

Original Package Change at FW

192.168.5.20:1234 192.168.5.20:1234 to 192.168.10.20:1234

The question is : Is it posible to replite it in a ASA5505 ? and the answer it yes can help me.

Best regrets,

Santiago Hoyos.

thomas.g.fan · ‎09-11-2013

From my understanding, the answer is yes.

suppose ASA interface connect to VPN is named outside and ASA interface connect to LAN is named inside, then NAT command for ASA would be like this:

object network vpn-client

host ip_address 192.168.5.20

object network lan-server

host ip_address 192.168.10.20

nat (inside,outside) source static lan-server vpn-client destination static any any

santiagohoyos · ‎09-12-2013

Hi, ok, now the real problem it we have 2 vpns with diferent networks, IP and server.

In this case how to setup the inside and outside interzas ? it's a no easy configuration that i found in a linux firewall