double nat on ASA

vidarellingsen · ‎06-18-2009

Hello Gurus,

I have a problem with NAT. I need to do a statick NAT first and then afterwords do a Dynamic PAT. Is this possible on ASA.

On my inside network I have IP 192.168.16.0/24, there are users behind this network (192.168.19.0/24) which only knows about 192.168.16.0/24. And I have a DMZ which users on 192.168.19.0/24 should reach. I can do this with a statick mapping on the fw. But the problem is that all IP's that access the DMZ must present themselves as the IP on the FW interface. So is this possible?

First Static NAT then Dynamic NAT ?

Please help

Jon Marshall · ‎06-18-2009

It's not clear what you are trying to do. Could you give a clear example based on source IP address, destination IP address and what you want to NAT.

Jon

vidarellingsen · ‎06-18-2009

192.168.19.0/24 --- ( ROUTER1 ) --- 192.168.16.0/24 --- ( FW ) --- 192.168.20.0/24 --- ( ROUTER2 ) --- 192.168.21.0/24

The users on 192.168.19.0/24 needs to access servers on 192.168.21.0/24, the only network 192.168.21.0/24 know of is

192.168.20.0/24. So therefore all connections must come from FW interface (192.168.20.1). Here we can use Dynamic NAT

for 192.168.16.0/24 network. But the problem is that 192.168.19.0/24 doesnt know of 192.168.20.0/24 and

192.168.21.0/24. So we must do a static nat on 192.168.16.0/24 network. Eg. 192.168.16.100 static mapped to

192.168.21.100. So what Im asking for is this possible, first do static nat and then do a dynamic nat after to

accomplish this. PS: I cannot nat on Router1 and Router2

Jon Marshall · ‎06-18-2009

Vidar

static (outside,inside) 192.168.16.100 192.168.21.100

will allow the clients on 192.168.19.0/24 to connect to 192.168.16.100 which will then be translated to 192.168.21.100. Obviously 192.168.16.100 cannot be assigned to any device on the 192.168.16.0/24 network.

The PAT you know how to do :-)

Jon