04-21-2010 02:23 AM - edited 03-11-2019 10:35 AM
Hi,
Is it possible to do the two way(I mean both source and destination ) in cisco ASA firewall?
Regards
Mathew
04-21-2010 02:26 AM
Hi,
Is it possible to do the two way (I mean both source and destination ) NAT in cisco ASA firewall?
Regards
Mathew
04-21-2010 02:53 AM
Yes, you can perform both source and destination NAT on ASA.
Check out this sample configuration on the "alternative solution: destination NAT" section:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Hope that helps.
04-21-2010 04:14 AM
Thanks Halijenn for your response.
I don't see both source and destination NAT in the example which you sent. My requirement is very simple...
I got a source network (say x.x.x.x/y) which is accessing the y.y.y.y/x(real ip) beyond the ASA firewall.My requirement is that this both source and destination address should not see each other with their real address..
When the source packet (x.x.x.x/y) reaches the ASA firewall it should be dynamically or PAT to say a.a.a.a/b and at the same time y.y.y.y/x should be statically NAT to say c.c.c.c/d in the ASA firewall itself.
Can you please advice whether this is possible in ASA and if please send me link explaining similar example?
Thanks for all your support.
Regards
Mathew
04-21-2010 04:20 AM
OK, here is an example:
Inside interface of ASA - 10.1.1.1 (security level 100)
Outside interface of ASA - 200.1.1.1
Host on the inside with ip address of 10.1.1.8 needs to be PATed to the ASA outside ip address.
Inside host is trying to reach destination of 100.1.1.1 (real), but you would like to NAT this destination to say 10.1.1.20
Here is the configuration:
nat (inside) 5 10.1.1.8 255.255.255.255
global (outside) 5 interface
static (outside,inside) 10.1.1.20 100.1.1.1 netmask 255.255.255.255
When inside host trying to access the outside host of 100.1.1.1, it should access it via its NATed ip of 10.1.1.20
Hope that helps.
04-21-2010 04:33 AM
04-21-2010 04:57 AM
Sure, in that case, you should have the following configuration:
Assuming, the server is 10.1.1.8 --> statically NATed to 200.1.1.8
Outside hosts (100.1.1.1, 150.1.1.1, 170.1.1.1) needs to be PATed to inside interface ip address.
Configuration:
static (inside,outside) 200.1.1.8 10.1.1.8 netmask 255.255.255.255
access-list outside-pat permit ip host 100.1.1.1 host 200.1.1.8
access-list outside-pat permit ip host 150.1.1.1 host 200.1.1.8
access-list outside-pat permit ip host 170.1.1.1 host 200.1.1.8
nat (outside) 5 access-list outside-pat outside
global (inside) 5 interface
OR, if you would like all hosts on the outside to be PATed to the inside, you can just have the following access-list:
access-list outside-pat permit ip any host 200.1.1.8
Hope that helps.
08-28-2012 06:16 AM
Hi All,
Just one question,
what will check first Destinaion or source NAT. At which time both will Apply on Packet.
Regards
A.N
08-28-2012 11:53 AM
Hello Ank,
the destination of the traffic goes first
Here is the lab I just made to explain it.
ciscoasa(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0 outside 4.4.4.4 255.255.255.0 manual
GigabitEthernet1 inside 192.168.12.1 255.255.255.0 manual
ciscoasa(config)# sh run object network
object network Local
subnet 192.168.12.0 255.255.255.0
object network Remote_real
subnet 192.168.13.0 255.255.255.0
object network Remote_Fake
subnet 192.168.14.0 255.255.255.0
object network Fake_lan
subnet 10.10.10.0 255.255.255.0
show run nat
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Here is the result of the test ( Inside- to outside flow)
packet-tracer input inside tcp 192.168.12.2 1025 192.168.14.10 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.14.10/80 to 192.168.13.10/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
Static translate 192.168.12.2/1025 to 10.10.10.2/1025
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
So we can see the translation happens first from the destination of the traffic
Now traffic from the external LAN to the inside fake lan :
packet-tracer input outside tcp 192.168.13.20 1025 10.10.10.10.2
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.2/80 to 192.168.12.2/80
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
Static translate 192.168.13.20/1025 to 192.168.14.20/1025
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real
Additional Information:
So as you can see againg the destination of the traffic gets un-translated first
Hope this helps
Julio
Remember to rate all the helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide