Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
1
Replies

Cisco ASA 9.4 NAT Help - Source NAT

telmember
Level 1
Level 1

‎03-16-2018 07:10 PM - edited ‎02-21-2020 07:31 AM

Hello Everyone:

 

I would like to kow if need ACL for this source nat to work? I am coming over L2L VPN (EXTERNAL) and want to source nat to interface on the INTERNAL. I get a warning but it accepts it.

 

Is this source nat correct? how would I add the ACL? 

 

Requirement:

Source:10.180.0.16

Destination: 10.42.220.209

Source NAT: 20.42.228.28

Destination NAT: None

 

 

Current IP Addresses:
Interface Name IP address Subnet mask Method 
GigabitEthernet0/0 EXTERNAL 109.228.23.178 255.255.255.240 CONFIG
GigabitEthernet0/1 GYN 20.55.208.1 255.255.255.0 CONFIG
GigabitEthernet0/2 INTERNAL 20.42.228.28 255.255.255.252 CONFIG
GigabitEthernet0/3 My_Corp 20.42.228.33 255.255.255.224 CONFIG
Management0/0 management 172.115.20.27 255.255.255.0 CONFIG


------------------------------------------------------------------------------------------------


route 0.0.0.0 via 109.228.23.278 VIA EXTERNAL
route 10.42.220.0 via 10.42.1.1 VIA INTERNAL

Object-group network FROM_EXTERNAL
10.180.0.0/16

Object-group network Test_Mgmt
10.42.220.209
10.42.220.210


nat (EXTERNAL,INTERNAL) source static FROM_EXTERNAL interface destination static Test_Mgmt Test_Mgmt

Policy???
access-list EXTERNAL-IN extended permit tcp object-group FROM_EXTERNAL object-group Test_Mgmt object-group eq 22

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

erwindebrouwer
Level 1
Level 1

‎03-17-2018 08:34 AM

Hi Telmember,

 

The reason you received a warning would probably be because you have built a static NAT rule (Twice-NAT is this case) for source 10.180.0.0/16 to translate to a single IP address (20.42.228.28) which is configured at the interface INTERNAL. I think the warning would be about traffic initiated from a host at INTERNAL sending to 20.42.228.28, to which IP at EXTERNAL is the ASA firewall supposed to forward the traffic?

 

Your setup could work though as sessions are always initiated from EXTERNAL, agreed. It depends on the goals you would like to reach with this setup... Could you describe further about the warning message you recieved? To validate the theory above.

 

Now, to answer your question about the ACL. The place to apply that would be at the interface level using the access-group command. But be careful, the ACL you wrote in your message would ONLY allow SSH traffic to INTERNAL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card