Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8013
Views
0
Helpful
3
Replies

ASA 8.4 - NAT of One Subnet to Another

KatoNakatomi
Level 1
Level 1

‎02-20-2013 12:50 PM - edited ‎03-11-2019 06:03 PM

Looking for a solution to a NAT issue I have with NAT'ing one subnet to another on a 1-2-1.

eg

     static (inside,outside) 1.1.1.0 2.2.2.0 netmask 255.255.255.0

This would translate the internal 2.2.2.x IP address to 1.1.1.x IP address on the "outside". Is this still possible in 8.4 or above?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-20-2013 12:55 PM

Hi,

Are you configuring this network to network NAT only for some VPN? In other words, should it only do this NAT if the destination of the connection is a certain network?

If you simply want to NAT a network to another network I imagine the configuration format would be the following

object network LAN-LOCAL

subnet 2.2.2.0 255.255.255.0

object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0

nat (inside,outside) source static LAN-LOCAL LAN-MAPPED

If this NAT should only happen with certain destination network the configuration would contain the following additional parameters

object network DESTINATION

subnet 10.10.10.0 255.255.255.0

NAT command would be

nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static DESTINATION DESTINATION

Naturally if you have more DESTINATION networks you would use "object-group" to configure the multiple networks instead of a "object network" that can only contain a single subnet, range or host address

Hope this helps

- Jouni

0 Helpful

KatoNakatomi
Level 1
Level 1
In response to Jouni Forss

‎02-20-2013 01:30 PM

Hi Jouni,

I have tried the above with no success, taking it further adding

     nat (inside,outside) source static LAN-LOCAL LAN-MAPPED destination static LAN-LOCAL LAN-MAPPED

If I do a "show xlate" it would indicate that it should work

         NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24

               flags sT idle 0:02:34 timeout 0:00:00

          NAT from outside:1.1.1.0/24 to inside:2.2.2.0/24

              flags sT idle 0:02:34 timeout 0:00:00

However a capture on the outside shows that the 2.2.2.x source remains untranslated.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to KatoNakatomi

‎02-20-2013 01:38 PM

Hi,

You should not use the "destination static LAN-LOCAL LAN-MAPPED" if your purpose is to always do the network to network NAT between the interfaces "inside" and "outside"

Heres the configuration from my own ASA

object network LAN-LOCAL

subnet 10.0.1.0 255.255.255.0

object network LAN-MAPPED

subnet 1.1.1.0 255.255.255.0

nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED

Then to test its operation with "packet-tracer"  (Only copy/paste the NAT phase)

ASA(config)# packet-tracer input LAN tcp 10.0.1.100 1234 1.2.3.4 80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static LAN-LOCAL LAN-MAPPED

Additional Information:

Static translate 10.0.1.100/1234 to 1.1.1.100/1234

As you can see its working as expected

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card