TWO Way NAT in Cisco ASA

Unanswered Question
Apr 21st, 2010

Hi,

Is it possible to do the two way(I mean both source and destination ) in cisco ASA firewall?

Regards

Mathew

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mathew-varghese Wed, 04/21/2010 - 02:26

Hi,

Is it possible to do the two way (I mean both source and destination ) NAT in cisco ASA firewall?

Regards

Mathew

mathew-varghese Wed, 04/21/2010 - 04:14

Thanks Halijenn for your response.

I don't see both source and destination NAT in the example which you sent. My requirement is very simple...

I got a source network (say x.x.x.x/y) which is accessing the y.y.y.y/x(real ip) beyond the ASA firewall.My requirement is that this both source and destination address should not see each other with their real address..

When the source packet (x.x.x.x/y) reaches the ASA firewall it should be dynamically or PAT to say a.a.a.a/b and at the same time y.y.y.y/x should be statically NAT to say c.c.c.c/d in the ASA firewall itself.

Can you please advice whether this is possible in ASA and if please send me link explaining similar example?

Thanks for all your support.

Regards

Mathew

Jennifer Halim Wed, 04/21/2010 - 04:20

OK, here is an example:

Inside interface of ASA - 10.1.1.1 (security level 100)

Outside interface of ASA - 200.1.1.1

Host on the inside with ip address of 10.1.1.8 needs to be PATed to the ASA outside ip address.

Inside host is trying to reach destination of 100.1.1.1 (real), but you would like to NAT this destination to say 10.1.1.20

Here is the configuration:

nat (inside) 5 10.1.1.8 255.255.255.255

global (outside) 5 interface

static (outside,inside) 10.1.1.20 100.1.1.1 netmask 255.255.255.255

When inside host trying to access the outside host of 100.1.1.1, it should access it via its NATed ip of 10.1.1.20

Hope that helps.

mathew-varghese Wed, 04/21/2010 - 04:33
Thanks a ton for your quick response.

In my case the scenario is just opposite to this. There are few users sitting at the outside of my firewall need to access a server in the inside interface.

When a user tries to access to the server's NAT ip ,should get statically translated to server's real ip and at the same time , the source ip of the packet should get dynamically natted to the inteface ip.

Could you please advice on the possiblities for this along with the configuration?

Regards
Mathew

Jennifer Halim Wed, 04/21/2010 - 04:57

Sure, in that case, you should have the following configuration:

Assuming, the server is 10.1.1.8 --> statically NATed to 200.1.1.8

Outside hosts (100.1.1.1, 150.1.1.1, 170.1.1.1) needs to be PATed to inside interface ip address.

Configuration:

static (inside,outside) 200.1.1.8 10.1.1.8 netmask 255.255.255.255

access-list outside-pat permit ip host 100.1.1.1 host 200.1.1.8

access-list outside-pat permit ip host 150.1.1.1 host  200.1.1.8

access-list outside-pat permit ip host 170.1.1.1 host  200.1.1.8

nat (outside) 5 access-list outside-pat outside

global (inside) 5 interface

OR, if you would like all hosts on the outside to be PATed to the inside, you can just have the following access-list:

access-list outside-pat permit ip any host  200.1.1.8

Hope that helps.

ank.narang Tue, 08/28/2012 - 06:16

Hi All,

Just one question,

what will check first Destinaion or source  NAT.  At which time both will Apply on Packet.

Regards

A.N

Julio Carvajal Tue, 08/28/2012 - 11:53

Hello Ank,

the destination of the traffic goes first

Here is the lab I just made to explain it.

ciscoasa(config)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0         outside                4.4.4.4         255.255.255.0   manual

GigabitEthernet1         inside                 192.168.12.1    255.255.255.0   manual

ciscoasa(config)# sh run object network

object network Local

subnet 192.168.12.0 255.255.255.0

object network Remote_real

subnet 192.168.13.0 255.255.255.0

object network Remote_Fake

subnet 192.168.14.0 255.255.255.0

object network Fake_lan

subnet 10.10.10.0 255.255.255.0

show run nat

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Here is the result of the test ( Inside- to outside flow)

    packet-tracer input inside tcp 192.168.12.2 1025 192.168.14.10 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.14.10/80 to 192.168.13.10/80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.12.2/1025 to 10.10.10.2/1025

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So we can see the translation happens first from the destination of the traffic

Now traffic from the external LAN to the inside fake lan :

packet-tracer input outside tcp 192.168.13.20 1025 10.10.10.10.2

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface inside

Untranslate 10.10.10.2/80 to 192.168.12.2/80

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.13.20/1025 to 192.168.14.20/1025

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So as you can see againg the destination of the traffic gets un-translated first

Hope this helps

Julio

Remember to rate all the helpful posts

Actions

This Discussion