ASA 5510 NAT question

Answered Question
Jul 12th, 2007

Is it possible to NAT the destination address through a ASA 5510? I am coming from two different NIC's on the same PC that have different IP's that go through different interfaces on the firewall, but go to the same destination address. I want to control which NIC is chosen by the different apps. If the destination was the same I cant control by static route which NIC to get to the destination, so I want to know if I can NAT the destination so that the traffic will look like it is going to a different destination address then get translated at the firewall.

The reason is that I have different ports that I am connecting to on the destination end and need to keep that intact.

Example:

One PC has two addresses on two different NICs. 192.168.8.8 and 192.168.9.9

Both go through different firewall interfaces on the same firewall, but both have the same destination of 192.168.1.10.

I am already NATing both of my internal addresses so they appear at the destination as 192.168.1.8 and 192.168.1.9

Can I also NAT the destination on the inside of the 192.168.8.8, so it looks like it is going to 192.168.1.50, but gets translated back to 192.168.1.10 on the outside of the firewall.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

This is an example of destination nat. This should translate requests on the inside interface for 192.168.1.50 to 192.168.1.10 on the outside interface.

static (outside,inside) 192.168.1.50 192.168.1.10 netmask 255.255.255.255

This is also commonly used for inside to dmz scenarios where inside clients want to hit a webserver on the dmz with it's public address.

static (dmz,inside) netmask 255.255.255.255

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Thu, 07/12/2007 - 09:56

This is an example of destination nat. This should translate requests on the inside interface for 192.168.1.50 to 192.168.1.10 on the outside interface.

static (outside,inside) 192.168.1.50 192.168.1.10 netmask 255.255.255.255

This is also commonly used for inside to dmz scenarios where inside clients want to hit a webserver on the dmz with it's public address.

static (dmz,inside) netmask 255.255.255.255

Please rate helpful posts.

Actions

This Discussion