Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.3 Policy NAT

Scenario Detail:

Outside interface IP ASA: 1.1.1.1

Inside Interface IP ASA:  2.2.2.1

Public IP Address for NAT: 1.1.1.10

Server1 IP Address: 10.10.10.10: 25

Server2 IP Address: 11.11.11.10: 443

1)

Server1 has a default route to ASA: No issues.

2)

Server2 does not have a default route ASA     

Initially distend for Public IP 1.1.1.10:443 is statically NATed to server2 11.11.11.10:443.

Server2 does not have a default route to ASA, in that case ASA can route to Server2 but Server2 can not route back to ASA for Internet Addresses.

To overcome this situation, I think, I should translate internet (any) addresses (Sources Addresses) to ASA indside interface IP Address.

So the Server2 sees this connection coming from ASA inside address.

-Two NATs are required

1)

Static 11.11.11.10:443 > 1.1.1.10:443

2)

a. Any > 1.1.1.10:443

First Translation through Static NAT:

b. Any > 11.11.11.10:443

Second Translation of Source Address (internet Address):

c. 2.2.2.1 > 11.11.11.10:443

Is it Doable? if Yes, What would be the syntex for ASA 8.3?

Please do let me know I missed something...

Your help will be highly appecited.

Mudasir

Everyone's tags (3)
1 REPLY
Cisco Employee

ASA 8.3 Policy NAT

Hi Mudasir,

Actually we can take advantaje of the NAT simplification of 8.3

This is how your config would look like

object network obj-1.1.1.10

  host 1.1.1.10

object network obj-11.11.11.10

host 11.11.11.10

object service test-443

  service tcp destination eq 443

nat (outside,inside) source dynamic any interface destination static obj-1.1.1.10 obj-11.11.11.10 service test-443 test-443

I know it looks like a little bit complicated but you get use to it

Luis Silva

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
264
Views
0
Helpful
1
Replies