ASA 8.4 - NAT of One Subnet to Another

Unanswered Question
Feb 20th, 2013

Looking for a solution to a NAT issue I have with NAT'ing one subnet to another on a 1-2-1.

eg

     static (inside,outside) 1.1.1.0 2.2.2.0 netmask 255.255.255.0

This would translate the internal 2.2.2.x IP address to 1.1.1.x IP address on the "outside". Is this still possible in 8.4 or above?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jouni Forss Wed, 02/20/2013 - 12:55

Hi,

Are you configuring this network to network NAT only for some VPN? In other words, should it only do this NAT if the destination of the connection is a certain network?

If you simply want to NAT a network to another network I imagine the configuration format would be the following

object network LAN-LOCAL

subnet 2.2.2.0 255.255.255.0

object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source static LAN-LOCAL LAN-MAPPED

If this NAT should only happen with certain destination network the configuration would contain the following additional parameters

object network DESTINATION

subnet 10.10.10.0 255.255.255.0

NAT command would be

nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static DESTINATION DESTINATION

Naturally if you have more DESTINATION networks you would use "object-group" to configure the multiple networks instead of a "object network" that can only contain a single subnet, range or host address

Hope this helps

- Jouni

alex ah-moye Wed, 02/20/2013 - 13:30

Hi Jouni,

I have tried the above with no success, taking it further adding

     nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static LAN-LOCAL LAN-MAPPED

If I do a "show xlate" it would indicate that it should work

         NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24

               flags sT idle 0:02:34 timeout 0:00:00

          NAT from outside:1.1.1.0/24 to inside:2.2.2.0/24

              flags sT idle 0:02:34 timeout 0:00:00

However a capture on the outside shows that the 2.2.2.x source remains untranslated.

Jouni Forss Wed, 02/20/2013 - 13:38

Hi,

You should not use the "destination static LAN-LOCAL LAN-MAPPED" if your purpose is to always do the network to network NAT between the interfaces "inside" and "outside"

Heres the configuration from my own ASA

object network LAN-LOCAL

subnet 10.0.1.0 255.255.255.0

object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0

nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED

Then to test its operation with "packet-tracer"  (Only copy/paste the NAT phase)

ASA(config)# packet-tracer input LAN tcp 10.0.1.100 1234 1.2.3.4 80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED

Additional Information:

Static translate 10.0.1.100/1234 to 1.1.1.100/1234

As you can see its working as expected

- Jouni

Actions

Login or Register to take actions

This Discussion

Posted February 20, 2013 at 12:50 PM
Stats:
Replies:3 Overall Rating:
Views:2367 Votes:0
Shares:0
Tags: nat, asa, 8.4
+

Related Content