cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
5
Helpful
12
Replies

NAT based on Source IP

Rahil
Beginner
Beginner

Hello Dears

 I need support for complex NAT scenarios

we have an IP tow external IPs(192.168.10.10 and 192.168.11.10) using S2S VPN want to access tow servers behind our Firepower(10.1.1.1 and 10.2.2.2) .

What I need is share with external vendor only  (172.31.1.1) as NAT IP between source and Destination IP

When Source is 192.168.10.10 and Destination 172.31.1.1 then translate Destination (172.31.1.1) to 10.1.1.1

When Source is 192.168.11.10 And Destination 172.31.1.1 then translate Destination(172.31.1.1) to 10.2.2.2 

 

Note: in my scenario I can Only use 1 NAT IP (172.31.1.1) and 10.1.1.1 + 10.2.2.2 are behind my firewall while 192.168.10.10 and 192.168.11.10 are behind external vendor firewall

Appreciate your support

Regards

1 Accepted Solution

Accepted Solutions

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

View solution in original post

12 Replies 12

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

Either you need to allocate another IP example 172.31.1.2 if you looking 1 to 1 NAT with all ports.

if you looking PAT, then you can specifically bind the ports.

by the what FW ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Bajalan

In My scenario its not possible to use another Public IP nor using PAT

our external vendor forces us to use HTTPS on the 172.31.1.1

if src=192.168.10.10, Dest=172.31.1.1:443  then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443  then translate Dest to 10.2.2.2

@Rahil you don't say which device, but assuming ASA try the following. If you are using FTD, then the same logic can be applied.

object network SRC-1
host 192.168.10.10
object network SRC-2
host 192.168.10.11
object network REAL-DEST-1
host 172.31.1.1
object network TRANSLATED-DEST-1
host 10.1.1.1
object network TRANSLATED-DEST-1
host 10.2.2.2

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1
nat (outside,inside) source static SRC-2 SRC-2 destination static REAL-DEST-1 TRANSLATED-DEST-2

Obviously, change the nameif if inside and outside differ in your environment.

Thanks Rob, I tried the same but with no success.

nat (outside,inside) source static SRC-1 SRC-1 destination static REAL-DEST-1 TRANSLATED-DEST-1

same as @Rob Ingram  but change the order of Interface it must be 
NAT (INSIDE,OUTSIDE) 
try change the order and share the result  

Hello @MHM

 

I tried with both interfaces Any Any

(any) to (any) source static  IP192.168.10.10 IP192.168.10.10 destination static IP172.31.1.1   IP10.1.1.1

NO any any 
you need 
NAT (outside,inside) <<- as @Rob Ingram  mention since this external IP.

also be careful from the nameif you use, i.e. if you use IN instead of inside then you will use IN not inside

@MHM Cisco World the 192.168.10.10 and 192.168.11.10 IP addresses are external, hence source as outside. With "servers behind our Firepower(10.1.1.1 and 10.2.2.2)" hence inside interface .

@Rahil run packet-tracer from the CLI to simulate the traffic flow and provide the output for review. Provide the output of "show nat detail". Don't write NAT rules with nat (any,any) as the interfaces, you should identify the src and dst interfaces and write the rules accordingly.

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

if src=192.168.10.10, Dest=172.31.1.1:443  then translate Dest to 10.1.1.1

if src=192.168.11.10, Dest=172.31.1.1:443  then translate Dest to 10.2.2.2

 

I do not believe that works, you need to change any one of the port from 443 to 8443 (you can not bind 2 Service to same IP to translate that is limitation)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rahil
Beginner
Beginner

Hello Rob

Yes you are right, both 192.168.10.10.and 192..168.11.10 are from external vendor.

(ISP_Korek) to (UAT-APP) source static 192.168.10.10  192.168.10.10   destination static 172.31.1.1 10.1.1.1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.10.10/32, Translated: 192.168.10.10/32
Destination - Origin: 172.31.1.1/32, Translated: 10.1.1.1/32

see below comment 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Hi Again 
I check the the NAT can do before and after encryption  as show in example above. 
but still there is some thing 

there are one OUT interface and two Peer 
are you config dynamic crypto ?
or you config different Crypto MAP Seq for each Peer ?

wait your answer 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers