07-01-2010 12:12 PM - edited 03-11-2019 11:06 AM
Hi, I'm trying to convert a policy nat entry from 8.0.x to 8.3
and am hoping someone can check my config.
My old config:
access-list PNAT-A10 remark any Internet hosts to DMZ A10 hosted servers
access-list PNAT-A10 extended permit ip any host 23.23.25.25 (Public IP)
nat (outside) 2 access-list PNAT-A10 outside
global (CustDMZ_1) 2 10.21.5.5 netmask 255.255.255.255
New config:
object network AXA-Citrix-A10_10.21.5.13
host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25
object network obj-10.21.5.5
host 10.21.5.5
nat (CustDMZ_1,outside) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13
Is this right? I want to make Internet clients appear as 10.21.5.5 when they hit the public address 23.23.25.25.
thank you,
Bill
Solved! Go to Solution.
07-02-2010 04:08 PM
Yes, you already have the configuration to statically translate the server to a public ip address.
Here is the config:
object network AXA-Citrix-A10_10.21.5.13
host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25
07-02-2010 04:09 PM
Yes, the following config posted is correct:
object network RAVPN_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
07-01-2010 04:35 PM
You are almost right, the interfaces on the NAT statement is the other way round and the destination should be the public ip address instead of the real ip address. It should be as follows:
object network AXA-Citrix-A10_23.23.25.25
host 23.23.25.25
nat (outside,CustDMZ_1) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_23.23.25.25 AXA-Citrix-A10_23.23.25.25
Hope that helps.
07-02-2010 06:55 AM
How does the ASA know how to nat the public IP to the real address, 10.21.5.13, of the AXA-Citrix-A10 host? Wouldn't I have to create the object and add the real IP somewhere?
07-02-2010 04:08 PM
Yes, you already have the configuration to statically translate the server to a public ip address.
Here is the config:
object network AXA-Citrix-A10_10.21.5.13
host 10.21.5.13
nat (CustDMZ_1,outside) static 23.23.25.25
07-02-2010 08:26 AM
Could I also ask how disabled split tunneling traffic is now handled so VPN users use the Corporate Internet link?
Old config:
nat (outside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
New config:
object network RAVPN_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
thanks again
07-02-2010 04:09 PM
Yes, the following config posted is correct:
object network RAVPN_192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (outside,outside) dynamic interface
07-02-2010 06:39 PM
thank you for your help.
07-02-2010 09:23 PM
Also you can check this document as a reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: