Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

8.2 NAT to one IP?

I probably have done this before, but can't remember how.  On 8.4 code, if I want to nat a server to be seen by only one external IP by a certian IP, but dynamic to all else, easy to do.

10.10.0.4 > 10.100.100.3, translated to outside 192.168.100.4.

10.10.0.4 > 0.0.0.0, translated dynamic outside interface

I dont remember how I was able to do this on 8.2 code.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: 8.2 NAT to one IP?

Hi,

I guess you would be talking about Static Policy NAT? I imagine your aim is to translate the host 10.10.0.4 to IP address 192.168.100.4 when the host 10.10.0.4 is connecting to host 10.100.100.3 and all other traffic should match the default Dynamic PAT configuration?

If the above mentioned situation applies then the configuration would be this

access-list STATIC-POLICY-NAT remark Static Policy NAT 10.10.0.4 -> 10.100.100.3

access-list STATIC-POLICY-NAT permit ip host 10.10.0.4 host 10.100.100.3

static (inside,outside) 192.168.100.4 access-list STATIC-POLICY-NAT

The "access-list" defines when the translation should be performed and the "static" command applies that "access-list" in an actual translation configuration.

Only thing to consider with this type of configuration and the software levels 8.2 (and lower) is the fact that IF you had a Static NAT for this internal host towards the same external interface then you would have to insert the above configuration and then remove the Static NAT and enter the Static NAT again. The reason is that Static NAT and Static Policy NAT are treated equally by the ASA. The order of the commands therefore decides which "static" configuration is applied. The earlier change is meant to change the order in the CLI configuration.

Though in your case you said there is only Dynamic PAT/NAT so it should not be a problem. Thought I'd still mention it just incase

With regards to the actual configuration above you can naturally switch the ACL name and use the "remark" line or not

Hope this helps

- Jouni

4 REPLIES
Super Bronze

Re: 8.2 NAT to one IP?

Hi,

I guess you would be talking about Static Policy NAT? I imagine your aim is to translate the host 10.10.0.4 to IP address 192.168.100.4 when the host 10.10.0.4 is connecting to host 10.100.100.3 and all other traffic should match the default Dynamic PAT configuration?

If the above mentioned situation applies then the configuration would be this

access-list STATIC-POLICY-NAT remark Static Policy NAT 10.10.0.4 -> 10.100.100.3

access-list STATIC-POLICY-NAT permit ip host 10.10.0.4 host 10.100.100.3

static (inside,outside) 192.168.100.4 access-list STATIC-POLICY-NAT

The "access-list" defines when the translation should be performed and the "static" command applies that "access-list" in an actual translation configuration.

Only thing to consider with this type of configuration and the software levels 8.2 (and lower) is the fact that IF you had a Static NAT for this internal host towards the same external interface then you would have to insert the above configuration and then remove the Static NAT and enter the Static NAT again. The reason is that Static NAT and Static Policy NAT are treated equally by the ASA. The order of the commands therefore decides which "static" configuration is applied. The earlier change is meant to change the order in the CLI configuration.

Though in your case you said there is only Dynamic PAT/NAT so it should not be a problem. Thought I'd still mention it just incase

With regards to the actual configuration above you can naturally switch the ACL name and use the "remark" line or not

Hope this helps

- Jouni

New Member

Re: 8.2 NAT to one IP?

That looks familiar, I will give it a try, Thanks!

New Member

Re: 8.2 NAT to one IP?

That was exactly what I was looking for, worked as I had hoped it would. Thinking back, I had done this before, but for the opposite thing, to use the inside IP of the ASA in the rewrite so the internal server could respoind to it and not its default.

Thanks, 5 Stars!

Super Bronze

8.2 NAT to one IP?

Hi,

Great to hear its working

Thank you for marking the correct answer.

- Jouni

86
Views
0
Helpful
4
Replies