Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA NAT Problem

Hi all,

In my scenario I have a remote server communicating with a private local server open to the world via static NAT.

Remote server: 1.1.1.1
ASA Outside: 2.2.2.2
ASA Inside: 192.168.1.254
Private Server: 192.168.1.100

I have configured static NAT to allow outside connections in to the private server. The private server is a linux host with a default gateway pointing to another device in the LAN on IP address 192.168.1.1.

So as to not add static routes on the linux host pointing towards the ASA for each destination the Private server will be replying to, I am looking to change the Remote servers IP address using NAT during the initial connection.

This would mean the packet has the following details before NAT:

Source IP: 1.1.1.1
Destination IP: 2.2.2.2

After NAT, the packets should have the following details:

Source IP: 192.168.1.254
Destination IP: 192.168.1.100

Rather than:

Source IP: 1.1.1.1
Destination IP: 192.168.1.100

Is this solution possbile on a Cisco ASA?

Many thanks.

Everyone's tags (1)
2 REPLIES
Super Bronze

Hi, It should be possible. At

Hi,

 

It should be possible. At the moment I am wondering what your ASA software level is though? This is a little simpler to handle in the new ASA softwares (8.3 and above) and the older ones (8.2 and below)

 

In the new software you would use the following configurations. In your case though I would probably use some free IP address from the subnet 192.168.1.0/24 for this NAT rather than the ASA interface.

 

object network SOURCE-REAL
 host 192.168.1.100

 

object network SOURCE-MAPPED
 host 2.2.2.2

 

object network DESTINATION-REAL
 host 1.1.1.1

 

object network DESTINATION-MAPPED
 host 192.168.1.253

 

nat (inside,outside) source static SOURCE-REAL SOURCE-MAPPED destination static DESTINATION-MAPPED DESTINATION-REAL

 

This "nat" configuration would do translation to both the source and destination IP address. Looking at the above NAT configuration we would see that traffic coming from DESTINATION-REAL towards SOURCE-MAPPED would have the effect that the SOURCE-MAPPED would get untranslated to SOURCE-REAL and DESTINATION-REAL would get translated to DESTINATION-MAPPED.

 

Naturally me using the terms SOURCE and DESTINATION in the "nat" configurations might create some confusion depending from which "direction" you are actually looking the situation from. You should naturally use different "object" names to make the configuration easier to read for you. That is if you are using the new software?

 

Hope this helps :)

 

- Jouni

New Member

Hi Jouni,Thanks for that.We

Hi Jouni,

Thanks for that.

We are currently using ASA 8.2.

I know we're talking about 8.3 here; however would this solution not require every possible destination to be added to the DESTINATION-REAL object? This wouldn't be a problem for us as we only have a small amount of possible DESTINATION-REALs (remote servers only accessible over site-to-site VPN).

I understand the best solution would be to simply change the default gateway on the internal server, just curious if this would be possible in an 8.2 environment without any changes to hosts.

62
Views
0
Helpful
2
Replies
CreatePlease to create content