Source PAT for incoming traffic in ASA

Unanswered Question
Mar 8th, 2009

Hi Experts,

One of my connectivity project i am working on requires traffic flowing through the ASA to reach the server sitting behind the ASA. However, the source of the traffic has IP address in the Private IP ranges. As our organization also uses similar IP address range for internal connectivity, i have to do many to one translation of the sources.

Appreciate if I could get insight on how to achieve this in ASA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 03/08/2009 - 07:29

Source addresses = 172.16.5.0/24

nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1 interface

Note you can choose any IP address to NAT the source addresses to but from within your network it must be routed to the inside interface of the ASA. So instead of

global (inside) 1 interface

you could use

global (inside) 1 192.168.5.10

your internal network devices would then have to route 192.168.5.10 back to the inside interface of the ASA.

Jon

cannan.ilangova... Mon, 03/09/2009 - 00:04

Hi Jon,

thanks for your reply to this thread...that cleared my doubt too...

is it also possible to use policy based NAT in this scenario... say i have three different subnets as source

source1 = 10.0.0.0/8

source2 = 172.16.0.0/16

source3 = 172.28.0.0/16

destination = 192.168.1.254

NAT IP = 192.168.1.50

i create an object group in ASA

object-group network InBoundAccess

network 10.0.0.0 255.0.0.0

network 172.16.0.0 255.255.0.0

network 172.28.0.0 255.255.0.0

i then apply a policy like this

access-list inboundaccess extended permit ip object-group InBoundAccess host 192.168.1.254

i use this policy to do the NAT like this..

nat (outside) 1 access-list inboundaccess

global (inside) 1 192.168.1.50 netmask 255.255.255.255

i add appropriate routes for 192.168.1.50 in my internal network devices...

will this help?

Actions

This Discussion