Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cisco ASA: special double nat ?

Could ASA do this NAT ?

src: 192.168.1.1 des: 1.1.1.1 -> src: 2.2.2.2 des 3.3.3.3

I assume that 192.168.1.1 is a host in the internal network and it has public internet access ip 1.1.1.1.

ASA  has outside ip 1.1.1.1 and inside ip 192.168.1.254 (default-gateway of 192.168.1.1)

Description: If 192.168.1.1 connect to 2.2.2.2 after it hit firewall, it come out with  source  1.1.1.1 and destination: 3.3.3.3

thanks

ngo duyen

  • Firewalling
8 REPLIES

cisco ASA: special double nat ?

Hi ,

Yes you can do it.

Is SNAT ( source NAT ) and DNAT ( destination NAT )

Two static nat statements. for each NAT

static (inside,outside) 1.1.1.1 192.168.1.1

static (outside,inside) 2.2.2.2 3.3.3.3

Regards

Dan

New Member

cisco ASA: special double nat ?

In ASA 8.3

could we do this nat to resolve problem ?

nat (inside,outside) source static 192.168.1.1 2.2.2.2 destination static 1.1.1.1 3.3.3.3 ?

thanks

cisco ASA: special double nat ?

It's the same idea. You have to create 2 static NAT :

object network inside-host

  host 192.168.1.1

  nat (inside,outside) static 1.1.1.1

object network outside-host

  host 3.3.3.3

  nat (outside,inside) static 2.2.2.2

The main idea is that

     - the inside-host will be translated on the outside zone

     - the outside-host will be transted on the inside zone

Having static translations will give you the posibility to have bidirectional traffic

Regards

Dan

New Member

cisco ASA: special double nat ?

thank Dan, pls check again my first post ( I have updated it).

Does your comand will work like this: a packet from 192.168.1.1 to 2.2.2.2 so (src, dst) : (192.168.1.1,2.2.2.2)

when it get out the outside int of ASA it become (1.1.1.1,3.3.3.3) ?

cisco ASA: special double nat ?

object network inside-host

  host 192.168.1.1

  nat (inside,outside) static 1.1.1.1

object network outside-host

  host 3.3.3.3

  nat (outside,inside) static 2.2.2.2

This will make  : 

src 192.168.1.1  ===>inside  FW outside ===> src 1.1.1.1

dst 2.2.2.2                                                      dst 3.3.3.3

So to answer your question : yes.

Regards

Dan

New Member

cisco ASA: special double nat ?

I usually use SNAT, DNAT make me confuse .

Could a cisco router do the same function ?

ip nat inside source static tcp 192.168.1.1  1.1.1.1

ip nat outside static tcp 2.2.2.2 3.3.3.3

cisco ASA: special double nat ?

Hello,

Yes. A router can do the same thing as an example:

src: 192.168.1.1 des: 1.1.1.1 -> src: 2.2.2.2 des 3.3.3.3

ip access-list extended test1 permit ip host 192.168.1.1 host 1.1.1.1

ip access-list extended test2 permit ip host 1.1.1.1 host 2.2.2.2

ip nat inside source list test1 2.2.2.2

ip nat outside source list test2 3.3.3.3

Regards,

Do rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

cisco ASA: special double nat ?

Hi Julio,

As far as I know when you use INSIDE nat with source list , the packet must be initiated on INSIDE only in order to be nated. So in order to have bi-directional you have to use also static statements.

Regards

Dan

1299
Views
0
Helpful
8
Replies
This widget could not be displayed.