03-16-2010 12:09 AM - edited 03-04-2019 07:49 AM
Hi,
I have internal network 192.168.1.x. I have ASA haivng public IP range 50.50.50.0/24.
My requirement is, whenever internal host 192.168.1.1 wants to talk to external server 200.200.200.0/24, source address should translate to 50.50.50.1.
I have done two things and is working fine as per my requirement.
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 200.200.200.0 255.255.255.0
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A
Now I have three questions-
1. Is this NAT will two sided, I mean if 200.200.200.0/24 subnet wants to reach 50.50.50.1, then what happened? Any source or destional address translation will occur in this case?
2. If traffic is coming from outside 200.200.200.0 network, then internal switch will send the traiffc to ASA or destination IP as 200.200.200.0
2. Is this policy only work if traffic is initiated from inside network?
Solved! Go to Solution.
03-16-2010 02:36 AM
Thanks a lot for your comments rupesh.
if you find the post is helpful,just give a ratting to it.This will be helpful to others while they are going through this post,
Regards
Karuppu
03-16-2010 12:38 AM
HI,
1. Is this NAT will two sided, I mean if 200.200.200.0/24 subnet wants to reach 50.50.50.1, then what happened? Any source or destional address translation will occur in this case?
NAT will work on both sides.If the traffic is coming from your inside interface 192.168.x.x,then it will convert into based on your NAT it will convert into that specific public IP address and vice versa
2. If traffic is coming from outside 200.200.200.0 network, then internal switch will send the traiffc to ASA or destination IP as 200.200.200.0
That is depends upon your routing.You have to configure default route towards internet.so that internet traffic will reach firewall then the traffic will moves towards internet
3.Is this policy only work if traffic is initiated from inside network?.
No.Since you have applied this ACL into NAT it will work both side.If you have applied this ACL in inside interface then it will work on only inside.
Regards
Karuppu
03-16-2010 01:01 AM
Thanks man. As you told, it will work in both side. But ACL is planned from 192.168.1.1 to 200.200.200.0/24.
How ACL will match if traffic is coming from Outside to inside? This is the only reason I am confused. Please help.
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 200.200.200.0 255.255.255.0
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A
03-16-2010 01:16 AM
Hi,
For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT access list specifies
the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the
source addresses of remote hosts who are allowed to connect to the host using this translation.
for more information have a look into the below URL
http://cisco.biz/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079137
Regards
Karuppu
03-16-2010 02:28 AM
you mean, if traffic is initiated from remote to internal client network, nat will automatically use Reverse ACL?
03-16-2010 02:29 AM
Yes..
03-16-2010 02:33 AM
thanks man for your fast response. You are a real champ.
03-16-2010 02:36 AM
Thanks a lot for your comments rupesh.
if you find the post is helpful,just give a ratting to it.This will be helpful to others while they are going through this post,
Regards
Karuppu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: