Source & Destination NAT

paultribe · ‎10-14-2010

Can anyone point to a Cisco document that cleary describes source and destination NAT, the differences between them, why you would use ource over destination & vice versa and any configuration examples on an ASA.

Thanks

Paul

Jon Marshall · ‎10-14-2010

Paul

Source and destination NAT are relative to the interfaces on the ASA firewall. A couple of examples might help -

you have a server on your LAN with a private address of 192.168.10.1 and you want to "present" it to the outside as 177.10.10.1

1) static (inside,outside) 177.10.10.1 192.168.10.1 netmask 255.255.255.255

a) traffic going from the server on the inside to the outside -

the src IP is changed from 192.168.10.1 to 195.166.10.1 the destination IP is left as is.

b) traffic returning to the server from the outside

the src IP is left as is

the destination IP is changed from 177.10.10.1 to 192.168.10.1

You want to allow internal devices to access the 195.166.10.1 server on the internet. But you don't want to advertise 177.10.10.1 into your network. Instead you want to use 10.5.1.10 as the destination address -

2) static (outside,inside) 10.5.1.10 195.166.10.1 netmask 255.255.255.255

a) traffic going from your internal clients with a destination IP of 10.5.1.10

the src IP is left alone

the destination IP is changed from 10.5.1.10 to 195.166.10.1

b) traffic returning to your client from the outside server 195.166.10.1

the src IP is changed from 195.166.10.1 to 10.5.1.10

the destination IP is unchanged

Hope this has helped rather than add to the confusion

Jon