Source PAT for incoming traffic in ASA

Unanswered Question
Mar 8th, 2009
User Badges:

Hi Experts,


One of my connectivity project i am working on requires traffic flowing through the ASA to reach the server sitting behind the ASA. However, the source of the traffic has IP address in the Private IP ranges. As our organization also uses similar IP address range for internal connectivity, i have to do many to one translation of the sources.


Appreciate if I could get insight on how to achieve this in ASA.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 03/08/2009 - 07:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Source addresses = 172.16.5.0/24


nat (outside) 1 172.16.5.0 255.255.255.0 outside

global (inside) 1 interface


Note you can choose any IP address to NAT the source addresses to but from within your network it must be routed to the inside interface of the ASA. So instead of


global (inside) 1 interface


you could use


global (inside) 1 192.168.5.10



your internal network devices would then have to route 192.168.5.10 back to the inside interface of the ASA.


Jon

cannan.ilangova... Mon, 03/09/2009 - 00:04
User Badges:

Hi Jon,


thanks for your reply to this thread...that cleared my doubt too...


is it also possible to use policy based NAT in this scenario... say i have three different subnets as source


source1 = 10.0.0.0/8

source2 = 172.16.0.0/16

source3 = 172.28.0.0/16


destination = 192.168.1.254


NAT IP = 192.168.1.50


i create an object group in ASA


object-group network InBoundAccess

network 10.0.0.0 255.0.0.0

network 172.16.0.0 255.255.0.0

network 172.28.0.0 255.255.0.0


i then apply a policy like this


access-list inboundaccess extended permit ip object-group InBoundAccess host 192.168.1.254


i use this policy to do the NAT like this..


nat (outside) 1 access-list inboundaccess

global (inside) 1 192.168.1.50 netmask 255.255.255.255


i add appropriate routes for 192.168.1.50 in my internal network devices...


will this help?

Actions

This Discussion