06-18-2009 12:17 PM - edited 03-11-2019 08:45 AM
Hello Gurus,
I have a problem with NAT. I need to do a statick NAT first and then afterwords do a Dynamic PAT. Is this possible on ASA.
On my inside network I have IP 192.168.16.0/24, there are users behind this network (192.168.19.0/24) which only knows about 192.168.16.0/24. And I have a DMZ which users on 192.168.19.0/24 should reach. I can do this with a statick mapping on the fw. But the problem is that all IP's that access the DMZ must present themselves as the IP on the FW interface. So is this possible?
First Static NAT then Dynamic NAT ?
Please help
06-18-2009 12:23 PM
It's not clear what you are trying to do. Could you give a clear example based on source IP address, destination IP address and what you want to NAT.
Jon
06-18-2009 12:32 PM
192.168.19.0/24 --- ( ROUTER1 ) --- 192.168.16.0/24 --- ( FW ) --- 192.168.20.0/24 --- ( ROUTER2 ) --- 192.168.21.0/24
The users on 192.168.19.0/24 needs to access servers on 192.168.21.0/24, the only network 192.168.21.0/24 know of is
192.168.20.0/24. So therefore all connections must come from FW interface (192.168.20.1). Here we can use Dynamic NAT
for 192.168.16.0/24 network. But the problem is that 192.168.19.0/24 doesnt know of 192.168.20.0/24 and
192.168.21.0/24. So we must do a static nat on 192.168.16.0/24 network. Eg. 192.168.16.100 static mapped to
192.168.21.100. So what Im asking for is this possible, first do static nat and then do a dynamic nat after to
accomplish this. PS: I cannot nat on Router1 and Router2
06-18-2009 12:56 PM
Vidar
static (outside,inside) 192.168.16.100 192.168.21.100
will allow the clients on 192.168.19.0/24 to connect to 192.168.16.100 which will then be translated to 192.168.21.100. Obviously 192.168.16.100 cannot be assigned to any device on the 192.168.16.0/24 network.
The PAT you know how to do :-)
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: