cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10698
Views
0
Helpful
8
Replies

TWO Way NAT in Cisco ASA

mathew-varghese
Level 1
Level 1

Hi,

Is it possible to do the two way(I mean both source and destination ) in cisco ASA firewall?

Regards

Mathew

8 Replies 8

mathew-varghese
Level 1
Level 1

Hi,

Is it possible to do the two way (I mean both source and destination ) NAT in cisco ASA firewall?

Regards

Mathew

Yes, you can perform both source and destination NAT on ASA.

Check out this sample configuration on the "alternative solution: destination NAT" section:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope that helps.

Thanks Halijenn for your response.

I don't see both source and destination NAT in the example which you sent. My requirement is very simple...

I got a source network (say x.x.x.x/y) which is accessing the y.y.y.y/x(real ip) beyond the ASA firewall.My requirement is that this both source and destination address should not see each other with their real address..

When the source packet (x.x.x.x/y) reaches the ASA firewall it should be dynamically or PAT to say a.a.a.a/b and at the same time y.y.y.y/x should be statically NAT to say c.c.c.c/d in the ASA firewall itself.

Can you please advice whether this is possible in ASA and if please send me link explaining similar example?

Thanks for all your support.

Regards

Mathew

OK, here is an example:

Inside interface of ASA - 10.1.1.1 (security level 100)

Outside interface of ASA - 200.1.1.1

Host on the inside with ip address of 10.1.1.8 needs to be PATed to the ASA outside ip address.

Inside host is trying to reach destination of 100.1.1.1 (real), but you would like to NAT this destination to say 10.1.1.20

Here is the configuration:

nat (inside) 5 10.1.1.8 255.255.255.255

global (outside) 5 interface

static (outside,inside) 10.1.1.20 100.1.1.1 netmask 255.255.255.255

When inside host trying to access the outside host of 100.1.1.1, it should access it via its NATed ip of 10.1.1.20

Hope that helps.

Thanks a ton for your quick response.

In my case the scenario is just opposite to this. There are few users sitting at the outside of my firewall need to access a server in the inside interface.

When a user tries to access to the server's NAT ip ,should get statically translated to server's real ip and at the same time , the source ip of the packet should get dynamically natted to the inteface ip.

Could you please advice on the possiblities for this along with the configuration?

Regards
Mathew

Sure, in that case, you should have the following configuration:

Assuming, the server is 10.1.1.8 --> statically NATed to 200.1.1.8

Outside hosts (100.1.1.1, 150.1.1.1, 170.1.1.1) needs to be PATed to inside interface ip address.

Configuration:

static (inside,outside) 200.1.1.8 10.1.1.8 netmask 255.255.255.255

access-list outside-pat permit ip host 100.1.1.1 host 200.1.1.8

access-list outside-pat permit ip host 150.1.1.1 host  200.1.1.8

access-list outside-pat permit ip host 170.1.1.1 host  200.1.1.8

nat (outside) 5 access-list outside-pat outside

global (inside) 5 interface

OR, if you would like all hosts on the outside to be PATed to the inside, you can just have the following access-list:

access-list outside-pat permit ip any host  200.1.1.8

Hope that helps.

Hi All,

Just one question,

what will check first Destinaion or source  NAT.  At which time both will Apply on Packet.

Regards

A.N

Hello Ank,

the destination of the traffic goes first

Here is the lab I just made to explain it.

ciscoasa(config)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0         outside                4.4.4.4         255.255.255.0   manual

GigabitEthernet1         inside                 192.168.12.1    255.255.255.0   manual

ciscoasa(config)# sh run object network

object network Local

subnet 192.168.12.0 255.255.255.0

object network Remote_real

subnet 192.168.13.0 255.255.255.0

object network Remote_Fake

subnet 192.168.14.0 255.255.255.0

object network Fake_lan

subnet 10.10.10.0 255.255.255.0

show run nat

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Here is the result of the test ( Inside- to outside flow)

    packet-tracer input inside tcp 192.168.12.2 1025 192.168.14.10 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.14.10/80 to 192.168.13.10/80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.12.2/1025 to 10.10.10.2/1025

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So we can see the translation happens first from the destination of the traffic

Now traffic from the external LAN to the inside fake lan :

packet-tracer input outside tcp 192.168.13.20 1025 10.10.10.10.2

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface inside

Untranslate 10.10.10.2/80 to 192.168.12.2/80

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.13.20/1025 to 192.168.14.20/1025

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So as you can see againg the destination of the traffic gets un-translated first

Hope this helps

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: