ASA 8.4 - NAT of One Subnet to Another

Unanswered Question
Feb 20th, 2013
User Badges:

Looking for a solution to a NAT issue I have with NAT'ing one subnet to another on a 1-2-1.


eg

     static (inside,outside) 1.1.1.0 2.2.2.0 netmask 255.255.255.0


This would translate the internal 2.2.2.x IP address to 1.1.1.x IP address on the "outside". Is this still possible in 8.4 or above?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 02/20/2013 - 12:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Are you configuring this network to network NAT only for some VPN? In other words, should it only do this NAT if the destination of the connection is a certain network?


If you simply want to NAT a network to another network I imagine the configuration format would be the following


object network LAN-LOCAL

subnet 2.2.2.0 255.255.255.0


object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0


nat (inside,outside) source static LAN-LOCAL LAN-MAPPED



If this NAT should only happen with certain destination network the configuration would contain the following additional parameters


object network DESTINATION

subnet 10.10.10.0 255.255.255.0


NAT command would be


nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static DESTINATION DESTINATION


Naturally if you have more DESTINATION networks you would use "object-group" to configure the multiple networks instead of a "object network" that can only contain a single subnet, range or host address


Hope this helps


- Jouni

Alex Ah-Moye Wed, 02/20/2013 - 13:30
User Badges:

Hi Jouni,


I have tried the above with no success, taking it further adding

     nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static LAN-LOCAL LAN-MAPPED


If I do a "show xlate" it would indicate that it should work

         NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24

               flags sT idle 0:02:34 timeout 0:00:00

          NAT from outside:1.1.1.0/24 to inside:2.2.2.0/24

              flags sT idle 0:02:34 timeout 0:00:00


However a capture on the outside shows that the 2.2.2.x source remains untranslated.

Jouni Forss Wed, 02/20/2013 - 13:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You should not use the "destination static LAN-LOCAL LAN-MAPPED" if your purpose is to always do the network to network NAT between the interfaces "inside" and "outside"


Heres the configuration from my own ASA


object network LAN-LOCAL

subnet 10.0.1.0 255.255.255.0


object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0


nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED



Then to test its operation with "packet-tracer"  (Only copy/paste the NAT phase)


ASA(config)# packet-tracer input LAN tcp 10.0.1.100 1234 1.2.3.4 80


Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED

Additional Information:

Static translate 10.0.1.100/1234 to 1.1.1.100/1234


As you can see its working as expected


- Jouni

Actions

This Discussion

Related Content