Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

8.4 SNAT from Outside

Hi

Could anyone tell me why this statement does not work? (No real IPs useD) DMZ Interface is 10.0.0.1/24

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01 OBJECT-01

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Also tested:

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

It works fine as following:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 10.0.0.254

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Thank you

1 REPLY

8.4 SNAT from Outside

Hello,

1-Can you share the PAT-DMZ host

2- Why are you performing 2 different nats for the same purpose, I mean you are already letting the ASA now that if any outside users on the outside contact this ASA for the Ip address of Object-01 (1.1.1.1) the destination should be untranslated to 10.0.0.2 and the source should be translated to the PAT-DMZ ip.

So from my point of view you only need this:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

With that line you are translating both the source and destination on one single line,

Let me know If I understood the question properly

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
306
Views
0
Helpful
1
Replies
CreatePlease to create content