I have configured static NAT to allow outside connections in to the private server. The private server is a linux host with a default gateway pointing to another device in the LAN on IP address 192.168.1.1.
So as to not add static routes on the linux host pointing towards the ASA for each destination the Private server will be replying to, I am looking to change the Remote servers IP address using NAT during the initial connection.
This would mean the packet has the following details before NAT:
Source IP: 126.96.36.199 Destination IP: 188.8.131.52
After NAT, the packets should have the following details:
It should be possible. At the moment I am wondering what your ASA software level is though? This is a little simpler to handle in the new ASA softwares (8.3 and above) and the older ones (8.2 and below)
In the new software you would use the following configurations. In your case though I would probably use some free IP address from the subnet 192.168.1.0/24 for this NAT rather than the ASA interface.
This "nat" configuration would do translation to both the source and destination IP address. Looking at the above NAT configuration we would see that traffic coming from DESTINATION-REAL towards SOURCE-MAPPED would have the effect that the SOURCE-MAPPED would get untranslated to SOURCE-REAL and DESTINATION-REAL would get translated to DESTINATION-MAPPED.
Naturally me using the terms SOURCE and DESTINATION in the "nat" configurations might create some confusion depending from which "direction" you are actually looking the situation from. You should naturally use different "object" names to make the configuration easier to read for you. That is if you are using the new software?
I know we're talking about 8.3 here; however would this solution not require every possible destination to be added to the DESTINATION-REAL object? This wouldn't be a problem for us as we only have a small amount of possible DESTINATION-REALs (remote servers only accessible over site-to-site VPN).
I understand the best solution would be to simply change the default gateway on the internal server, just curious if this would be possible in an 8.2 environment without any changes to hosts.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :