Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
5
Helpful
12
Replies

NAT based on Source IP

Go to solution
Rahil
Beginner
Beginner

‎08-25-2022 02:25 AM

Hello Dears

 I need support for complex NAT scenarios

we have an IP tow external IPs(192.168.10.10 and 192.168.11.10) using S2S VPN want to access tow servers behind our Firepower(10.1.1.1 and 10.2.2.2) .

What I need is share with external vendor only  (172.31.1.1) as NAT IP between source and Destination IP

When Source is 192.168.10.10 and Destination 172.31.1.1 then translate Destination (172.31.1.1) to 10.1.1.1

When Source is 192.168.11.10 And Destination 172.31.1.1 then translate Destination(172.31.1.1) to 10.2.2.2 

 

Note: in my scenario I can Only use 1 NAT IP (172.31.1.1) and 10.1.1.1 + 10.2.2.2 are behind my firewall while 192.168.10.10 and 192.168.11.10 are behind external vendor firewall

Appreciate your support

Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to Rahil

‎08-25-2022 02:39 AM

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎08-25-2022 02:29 AM

Either you need to allocate another IP example 172.31.1.2 if you looking 1 to 1 NAT with all ports.

if you looking PAT, then you can specifically bind the ports.

by the what FW ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rahil
Beginner
Beginner
In response to balaji.bandi

‎08-25-2022 02:37 AM

Hi Bajalan

In My scenario its not possible to use another Public IP nor using PAT

our external vendor forces us to use HTTPS on the 172.31.1.1

if src=192.168.10.10, Dest=172.31.1.1:443  then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443  then translate Dest to 10.2.2.2

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to Rahil

‎08-25-2022 02:39 AM

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

0 Helpful

Go to solution
Rahil
Beginner
Beginner
In response to Rob Ingram

‎08-25-2022 04:44 AM

Thanks Rob, I tried the same but with no success.

0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rahil

‎08-25-2022 05:40 AM 

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1

same as @Rob Ingram  but change the order of Interface it must be 
NAT (INSIDE,OUTSIDE) 
try change the order and share the result  

0 Helpful

Go to solution
Rahil
Beginner
Beginner
In response to MHM Cisco World

‎08-25-2022 05:47 AM

Hello @MHM

 

I tried with both interfaces Any Any

(any) to (any) source static  IP192.168.10.10 IP192.168.10.10 destination static IP172.31.1.1   IP10.1.1.1
0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rahil

‎08-25-2022 05:58 AM - edited ‎08-25-2022 05:59 AM

NO any any 
you need 
NAT (outside,inside) <<- as @Rob Ingram  mention since this external IP.

also be careful from the nameif you use, i.e. if you use IN instead of inside then you will use IN not inside

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to MHM Cisco World

‎08-25-2022 05:56 AM

@MHM Cisco World the 192.168.10.10 and 192.168.11.10 IP addresses are external, hence source as outside. With "servers behind our Firepower(10.1.1.1 and 10.2.2.2)" hence inside interface .

@Rahil run packet-tracer from the CLI to simulate the traffic flow and provide the output for review. Provide the output of "show nat detail". Don't write NAT rules with nat (any,any) as the interfaces, you should identify the src and dst interfaces and write the rules accordingly.

Go to solution
balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to Rahil

‎08-25-2022 11:30 AM

if src=192.168.10.10, Dest=172.31.1.1:443  then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443  then translate Dest to 10.2.2.2

 

I do not believe that works, you need to change any one of the port from 443 to 8443 (you can not bind 2 Service to same IP to translate that is limitation)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rahil
Beginner
Beginner

‎08-25-2022 06:34 AM

Hello Rob

Yes you are right, both 192.168.10.10.and 192..168.11.10 are from external vendor.

(ISP_Korek) to (UAT-APP) source static 192.168.10.10  192.168.10.10   destination static 172.31.1.1 10.1.1.1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.10.10/32, Translated: 192.168.10.10/32
Destination - Origin: 172.31.1.1/32, Translated: 10.1.1.1/32
0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rahil

‎08-25-2022 06:49 AM - edited ‎08-26-2022 11:54 AM

see below comment 

0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎08-26-2022 12:02 PM