cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
431
Views
0
Helpful
6
Replies

help with NAT config on 8.4 ASA

mjsully
Level 1
Level 1


can anyone tell me if it's possible and if so, how to configure the following NAT, where the same source goes to 2 different destinations, but we need them to use the same NAT address. This is on 8.4 version of ASA code. Assume the src is off interface with security level of 0, called "DC" and the destination is off an interface "DMZ" with a security level of 100.   Thanks


src- 192.168.100.100
dst- 172.16.1.100
service- TCP 80 & 443
NAT src to - 10.200.2.5

src- 192.168.100.100
dst- 172.16.1.120
service- TCP 80
NAT src to - 10.200.2.5

6 Replies 6

Walter Astori
Level 1
Level 1

Can you try with this configuration :

object-network PAT-SOURCE
 host 192.168.100.100
object-network PAT-SOURCE-MAPPED
 host 10.200.2.5
object-network PAT-DESTINATION-1
 host 172.16.1.100
object-network PAT-DESTINATION-2
 host 172.16.1.120
object service SERVICE-1
 service tcp destination eq 80
object service SERVICE-2
 service tcp destination eq 443
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-1 SERVICE-1
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-2 SERVICE-2
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-2 PAT-DESTINATION-2 service SERVICE-2 SERVICE-2

 

Thanks ,I can give that a try. My only question is regarding this part of your config:

 

nat (DMZ,DC)

 

why is the destination interface (DMZ) listed first in the syntax, as I thought with the new NAT it goes (src, dst)?

DC is security-level 0 and DMZ is security-level 100 and the flow of the traffic is from DC to DMZ

Well, to answer this question, static NAT is bidirectional. So, even though you are configuring it  from DMZ to DC it will still NAT from DC to DMZ.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

so based on that, would I also get the same desired result if I swapped the order and used (DC, DMZ)?

Theoretically, yes.  But it is not a common practice or best practice to do that.  Since static NAT is bidirectional (unless configured otherwise) NATing traffic from a higher security level to a lower security level has been the commonly approved way to do it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: