ASA 8.3 Policy NAT

Mudasir Abbas · ‎07-11-2012

Scenario Detail:

Outside interface IP ASA: 1.1.1.1

Inside Interface IP ASA: 2.2.2.1

Public IP Address for NAT: 1.1.1.10

Server1 IP Address: 10.10.10.10: 25

Server2 IP Address: 11.11.11.10: 443

1)

Server1 has a default route to ASA: No issues.

2)

Server2 does not have a default route ASA

Initially distend for Public IP 1.1.1.10:443 is statically NATed to server2 11.11.11.10:443.

Server2 does not have a default route to ASA, in that case ASA can route to Server2 but Server2 can not route back to ASA for Internet Addresses.

To overcome this situation, I think, I should translate internet (any) addresses (Sources Addresses) to ASA indside interface IP Address.

So the Server2 sees this connection coming from ASA inside address.

-Two NATs are required

1)

Static 11.11.11.10:443 > 1.1.1.10:443

2)

a. Any > 1.1.1.10:443

First Translation through Static NAT:

b. Any > 11.11.11.10:443

Second Translation of Source Address (internet Address):

c. 2.2.2.1 > 11.11.11.10:443

Is it Doable? if Yes, What would be the syntex for ASA 8.3?

Please do let me know I missed something...

Your help will be highly appecited.

Mudasir

Luis Silva Benavides · ‎07-13-2012

Hi Mudasir,

Actually we can take advantaje of the NAT simplification of 8.3

This is how your config would look like

object network obj-1.1.1.10

host 1.1.1.10

object network obj-11.11.11.10

host 11.11.11.10

object service test-443

service tcp destination eq 443

nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443

I know it looks like a little bit complicated but you get use to it

Luis Silva