8.4 SNAT from Outside

Unanswered Question
Aug 14th, 2012
User Badges:

Hi


Could anyone tell me why this statement does not work? (No real IPs useD) DMZ Interface is 10.0.0.1/24


nat (outside,dmz) source dynamic any  interface destination static OBJECT-01 OBJECT-01

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns


Also tested:

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns



It works fine as following:


nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 10.0.0.254

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns



Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Sat, 08/18/2012 - 23:41
User Badges:
  • Purple, 4500 points or more

Hello,


1-Can you share the PAT-DMZ host

2- Why are you performing 2 different nats for the same purpose, I mean you are already letting the ASA now that if any outside users on the outside contact this ASA for the Ip address of Object-01 (1.1.1.1) the destination should be untranslated to 10.0.0.2 and the source should be translated to the PAT-DMZ ip.

So from my point of view you only need this:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in


With that line you are translating both the source and destination on one single line,


Let me know If I understood the question properly


Regards,


Julio

Actions

This Discussion

Related Content