Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4016
Views
5
Helpful
3
Replies

how to nat source IP inbound on asa5510 outside interface

a.middlehurst
Level 1
Level 1

‎01-20-2010 06:30 AM - edited ‎03-11-2019 09:59 AM

Hi

I have a query which is frankly stumping me at the moment.

A customer has a couple of web servers on their internal network. They need to provide access from external hosts to these servers on port 443. They have an ASA5510 which has static NAT to translate the inbound destination IP from an external address to the real internal address of the servers.  This all works fine as proved with 'capture'. I can see inbound packets being translated and squirted out the inside interface to the servers, via an internal L3 switch.

However, the ASA is NOT the default gateway of the internal L3 switch, so responses from the servers hit their default gw (the L3 switch) which for obvious reasons doesn't have a seperate route for every single internet host, so the L3 switch forwards the response to it's default gw which is a different firewall (not the ASA the request came in on).

So the problem is the client never sees the response from the server.

Without changing the default gw of the L3 switch, I believe the only way around this problem is to get the ASA to translate the inbound SOURCE IP address as well as the destination, so that the L3 switch can forward the responses from the server back to the ASA correctly.

However I'm unsure on how this should be configured.

Thanks in advance for any suggestions!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎01-20-2010 06:53 AM

Your idea is a good idea. You can use policy static or policy nat.

static (outside,inside) inside_address access-list change-source-ip

access-list change-source-ip permit ip host source_ip_internet host webserver_ip_public

nat (outside) access-list change-source-ip outside ---> you need the keyword outside

global (inside) interface

-KS

vpersaud001
Level 3
Level 3
In response to Kureli Sankar

‎06-30-2010 11:10 AM

Thanks!!! This policy nat helped me resolve an SSL vpn client issue.

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee

‎01-20-2010 09:41 PM

Hello,

Most optimum would be to use the correct defualt gateway, but if that is not possible, you can use policy NAT like below :


If a host (160.1.1.1) on outside world would like to access a website (192.168.1.1) on inside using a public IP (160.1.1.2)

access-list policy extended permit tcp host 160.1.1.1 192.168.1.1
Static (inside,outside) 160.1.1.2 access-list policy

nat (outside) access-list policy outside

global (inside) interface

Reason you need to use outside keyword, is that you are trying to use NAT for a lower security interface.

HTH

Vijaya

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card