help with NAT config on 8.4 ASA

Unanswered Question
Sep 16th, 2014
User Badges:


can anyone tell me if it's possible and if so, how to configure the following NAT, where the same source goes to 2 different destinations, but we need them to use the same NAT address. This is on 8.4 version of ASA code. Assume the src is off interface with security level of 0, called "DC" and the destination is off an interface "DMZ" with a security level of 100.   Thanks


src- 192.168.100.100
dst- 172.16.1.100
service- TCP 80 & 443
NAT src to - 10.200.2.5

src- 192.168.100.100
dst- 172.16.1.120
service- TCP 80
NAT src to - 10.200.2.5

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Walter Astori Tue, 09/16/2014 - 06:33
User Badges:

Can you try with this configuration :

object-network PAT-SOURCE
 host 192.168.100.100
object-network PAT-SOURCE-MAPPED
 host 10.200.2.5
object-network PAT-DESTINATION-1
 host 172.16.1.100
object-network PAT-DESTINATION-2
 host 172.16.1.120
object service SERVICE-1
 service tcp destination eq 80
object service SERVICE-2
 service tcp destination eq 443
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-1 SERVICE-1
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-2 SERVICE-2
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-2 PAT-DESTINATION-2 service SERVICE-2 SERVICE-2

 

mjsully Tue, 09/16/2014 - 06:42
User Badges:

Thanks ,I can give that a try. My only question is regarding this part of your config:

 

nat (DMZ,DC)

 

why is the destination interface (DMZ) listed first in the syntax, as I thought with the new NAT it goes (src, dst)?

Walter Astori Tue, 09/16/2014 - 06:45
User Badges:

DC is security-level 0 and DMZ is security-level 100 and the flow of the traffic is from DC to DMZ

Marius Gunnerud Tue, 09/16/2014 - 10:35
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Well, to answer this question, static NAT is bidirectional. So, even though you are configuring it  from DMZ to DC it will still NAT from DC to DMZ.

--

Please remember to select a correct answer and rate helpful posts

mjsully Tue, 09/16/2014 - 10:45
User Badges:

so based on that, would I also get the same desired result if I swapped the order and used (DC, DMZ)?

Marius Gunnerud Tue, 09/16/2014 - 11:41
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Theoretically, yes.  But it is not a common practice or best practice to do that.  Since static NAT is bidirectional (unless configured otherwise) NATing traffic from a higher security level to a lower security level has been the commonly approved way to do it.

--

Please remember to select a correct answer and rate helpful posts

Actions

This Discussion