Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

double nat on ASA

Hello Gurus,

I have a problem with NAT. I need to do a statick NAT first and then afterwords do a Dynamic PAT. Is this possible on ASA.

On my inside network I have IP 192.168.16.0/24, there are users behind this network (192.168.19.0/24) which only knows about 192.168.16.0/24. And I have a DMZ which users on 192.168.19.0/24 should reach. I can do this with a statick mapping on the fw. But the problem is that all IP's that access the DMZ must present themselves as the IP on the FW interface. So is this possible?

First Static NAT then Dynamic NAT ?

Please help

3 REPLIES
Hall of Fame Super Blue

Re: double nat on ASA

It's not clear what you are trying to do. Could you give a clear example based on source IP address, destination IP address and what you want to NAT.

Jon

Community Member

Re: double nat on ASA

192.168.19.0/24 --- ( ROUTER1 ) --- 192.168.16.0/24 --- ( FW ) --- 192.168.20.0/24 --- ( ROUTER2 ) --- 192.168.21.0/24

The users on 192.168.19.0/24 needs to access servers on 192.168.21.0/24, the only network 192.168.21.0/24 know of is

192.168.20.0/24. So therefore all connections must come from FW interface (192.168.20.1). Here we can use Dynamic NAT

for 192.168.16.0/24 network. But the problem is that 192.168.19.0/24 doesnt know of 192.168.20.0/24 and

192.168.21.0/24. So we must do a static nat on 192.168.16.0/24 network. Eg. 192.168.16.100 static mapped to

192.168.21.100. So what Im asking for is this possible, first do static nat and then do a dynamic nat after to

accomplish this. PS: I cannot nat on Router1 and Router2

Hall of Fame Super Blue

Re: double nat on ASA

Vidar

static (outside,inside) 192.168.16.100 192.168.21.100

will allow the clients on 192.168.19.0/24 to connect to 192.168.16.100 which will then be translated to 192.168.21.100. Obviously 192.168.16.100 cannot be assigned to any device on the 192.168.16.0/24 network.

The PAT you know how to do :-)

Jon

458
Views
0
Helpful
3
Replies
CreatePlease to create content