Solved: Re: NAT based on Source IP

Rahil · ‎08-25-2022

Hello Dears

I need support for complex NAT scenarios

we have an IP tow external IPs(192.168.10.10 and 192.168.11.10) using S2S VPN want to access tow servers behind our Firepower(10.1.1.1 and 10.2.2.2) .

What I need is share with external vendor only (172.31.1.1) as NAT IP between source and Destination IP

When Source is 192.168.10.10 and Destination 172.31.1.1 then translate Destination (172.31.1.1) to 10.1.1.1

When Source is 192.168.11.10 And Destination 172.31.1.1 then translate Destination(172.31.1.1) to 10.2.2.2

Note: in my scenario I can Only use 1 NAT IP (172.31.1.1) and 10.1.1.1 + 10.2.2.2 are behind my firewall while 192.168.10.10 and 192.168.11.10 are behind external vendor firewall

Appreciate your support

Regards

Rob Ingram · ‎08-25-2022

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

View solution in original post

balaji.bandi · ‎08-25-2022

Either you need to allocate another IP example 172.31.1.2 if you looking 1 to 1 NAT with all ports.

if you looking PAT, then you can specifically bind the ports.

by the what FW ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rahil · ‎08-25-2022

Hi Bajalan

In My scenario its not possible to use another Public IP nor using PAT

our external vendor forces us to use HTTPS on the 172.31.1.1

if src=192.168.10.10, Dest=172.31.1.1:443 then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443 then translate Dest to 10.2.2.2

Rob Ingram · ‎08-25-2022

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

Rahil · ‎08-25-2022

Thanks Rob, I tried the same but with no success.

MHM Cisco World · ‎08-25-2022

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1

same as @Rob Ingram but change the order of Interface it must be
NAT (INSIDE,OUTSIDE)
try change the order and share the result

Rahil · ‎08-25-2022

Hello @MHM

I tried with both interfaces Any Any

(any) to (any) source static IP192.168.10.10 IP192.168.10.10 destination static IP172.31.1.1 IP10.1.1.1

MHM Cisco World · ‎08-25-2022

NO any any
you need
NAT (outside,inside) <<- as @Rob Ingram mention since this external IP.

also be careful from the nameif you use, i.e. if you use IN instead of inside then you will use IN not inside

Rob Ingram · ‎08-25-2022

@MHM Cisco World the 192.168.10.10 and 192.168.11.10 IP addresses are external, hence source as outside. With "servers behind our Firepower(10.1.1.1 and 10.2.2.2)" hence inside interface .

@Rahil run packet-tracer from the CLI to simulate the traffic flow and provide the output for review. Provide the output of "show nat detail". Don't write NAT rules with nat (any,any) as the interfaces, you should identify the src and dst interfaces and write the rules accordingly.

balaji.bandi · ‎08-25-2022

if src=192.168.10.10, Dest=172.31.1.1:443 then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443 then translate Dest to 10.2.2.2

I do not believe that works, you need to change any one of the port from 443 to 8443 (you can not bind 2 Service to same IP to translate that is limitation)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rahil · ‎08-25-2022

Hello Rob

Yes you are right, both 192.168.10.10.and 192..168.11.10 are from external vendor.

(ISP_Korek) to (UAT-APP) source static 192.168.10.10 192.168.10.10 destination static 172.31.1.1 10.1.1.1

translate_hits = 0, untranslate_hits = 0

Source - Origin: 192.168.10.10/32, Translated: 192.168.10.10/32

Destination - Origin: 172.31.1.1/32, Translated: 10.1.1.1/32

MHM Cisco World · ‎08-25-2022

see below comment

MHM Cisco World · ‎08-26-2022

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Hi Again
I check the the NAT can do before and after encryption as show in example above.
but still there is some thing

there are one OUT interface and two Peer
are you config dynamic crypto ?
or you config different Crypto MAP Seq for each Peer ?

wait your answer