08-25-2022 02:25 AM
Hello Dears
I need support for complex NAT scenarios
we have an IP tow external IPs(192.168.10.10 and 192.168.11.10) using S2S VPN want to access tow servers behind our Firepower(10.1.1.1 and 10.2.2.2) .
What I need is share with external vendor only (172.31.1.1) as NAT IP between source and Destination IP
When Source is 192.168.10.10 and Destination 172.31.1.1 then translate Destination (172.31.1.1) to 10.1.1.1
When Source is 192.168.11.10 And Destination 172.31.1.1 then translate Destination(172.31.1.1) to 10.2.2.2
Note: in my scenario I can Only use 1 NAT IP (172.31.1.1) and 10.1.1.1 + 10.2.2.2 are behind my firewall while 192.168.10.10 and 192.168.11.10 are behind external vendor firewall
Appreciate your support
Regards
Solved! Go to Solution.
08-25-2022 02:39 AM
@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.
object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2
nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2
Obviously, change the nameif if inside and outside differ in your environment.
08-25-2022 02:29 AM
Either you need to allocate another IP example 172.31.1.2 if you looking 1 to 1 NAT with all ports.
if you looking PAT, then you can specifically bind the ports.
by the what FW ?
08-25-2022 02:37 AM
Hi Bajalan
In My scenario its not possible to use another Public IP nor using PAT
our external vendor forces us to use HTTPS on the 172.31.1.1
if src=192.168.10.10, Dest=172.31.1.1:443 then translate Dest to 10.1.1.1
if src=192.168.11.10, Dest=172.31.1.1:443 then translate Dest to 10.2.2.2
08-25-2022 02:39 AM
@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.
object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2
nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2
Obviously, change the nameif if inside and outside differ in your environment.
08-25-2022 04:44 AM
Thanks Rob, I tried the same but with no success.
08-25-2022 05:40 AM
nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
same as @Rob Ingram but change the order of Interface it must be
NAT (INSIDE,OUTSIDE)
try change the order and share the result
08-25-2022 05:47 AM
Hello @MHM
I tried with both interfaces Any Any
08-25-2022 05:58 AM - edited 08-25-2022 05:59 AM
NO any any
you need
NAT (outside,inside) <<- as @Rob Ingram mention since this external IP.
also be careful from the nameif you use, i.e. if you use IN instead of inside then you will use IN not inside
08-25-2022 05:56 AM
@MHM Cisco World the 192.168.10.10 and 192.168.11.10 IP addresses are external, hence source as outside. With "servers behind our Firepower(10.1.1.1 and 10.2.2.2)" hence inside interface .
@Rahil run packet-tracer from the CLI to simulate the traffic flow and provide the output for review. Provide the output of "show nat detail". Don't write NAT rules with nat (any,any) as the interfaces, you should identify the src and dst interfaces and write the rules accordingly.
08-25-2022 11:30 AM
if src=192.168.10.10, Dest=172.31.1.1:443 then translate Dest to 10.1.1.1
if src=192.168.11.10, Dest=172.31.1.1:443 then translate Dest to 10.2.2.2
I do not believe that works, you need to change any one of the port from 443 to 8443 (you can not bind 2 Service to same IP to translate that is limitation)
08-25-2022 06:34 AM
Hello Rob
Yes you are right, both 192.168.10.10.and 192..168.11.10 are from external vendor.
08-25-2022 06:49 AM - edited 08-26-2022 11:54 AM
see below comment
08-26-2022 12:02 PM