8.4 SNAT from Outside

Unanswered Question
Aug 14th, 2012

Hi

Could anyone tell me why this statement does not work? (No real IPs useD) DMZ Interface is 10.0.0.1/24

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01 OBJECT-01

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Also tested:

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

It works fine as following:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 10.0.0.254

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Julio Carvaja Sat, 08/18/2012 - 23:41

Hello,

1-Can you share the PAT-DMZ host

2- Why are you performing 2 different nats for the same purpose, I mean you are already letting the ASA now that if any outside users on the outside contact this ASA for the Ip address of Object-01 (1.1.1.1) the destination should be untranslated to 10.0.0.2 and the source should be translated to the PAT-DMZ ip.

So from my point of view you only need this:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

With that line you are translating both the source and destination on one single line,

Let me know If I understood the question properly

Regards,

Julio

Actions

Login or Register to take actions

This Discussion

Posted August 14, 2012 at 1:46 AM
Stats:
Replies:1 Avg. Rating:
Views:291 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446