08-15-2007 11:27 AM - edited 03-11-2019 03:58 AM
Hi everyone. I have an ASA with three interfaces. I have a NAT and Global statement that translates all my traffic destined for a server on DMZ interface appear as if it is coming from 10.0.0.10. I have another group of users who need to go to the same server on DMZ, but their source address needs to be 10.0.0.11. I was trying not to modify my NAT global statement and use a static translation. Is there a way to do this. This is the ASA config:
global (dmz) 5 10.0.0.10
nat (inside) 5 0.0.0.0 0.0.0.0
Solved! Go to Solution.
08-15-2007 11:42 AM
Hi
if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network
access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"
nat (inside) 6 access-list natusers
global (dmz) 10.0.0.11
HTH
Jon
08-15-2007 11:42 AM
Hi
if you know the IP addresses of the users you can use policy NAT eg. lets say the users are all on the 192.168.5.0 network
access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"
nat (inside) 6 access-list natusers
global (dmz) 10.0.0.11
HTH
Jon
08-15-2007 11:46 AM
Jon, thanks for a fast response. My fear was that ASA will screem at me that scope is overalping with 0.0.0.0 0.0.0.0. I will try your suggestion right now.
08-15-2007 11:56 AM
Hi
No it should be fine. I forgot to mention that you can use a static statement with policy NAT as well, it's just i don't normally do it this way eg.
access-list natusers permit ip host 192.168.5.0 255.255.255.0 host "dmz host"
static (inside,dmz) 10.0.0.11 access-list natusers
HTH
Jon
08-15-2007 12:02 PM
Looks like the commands went in fine. It will take me a little bit of time to test the actual connectivity, but I think that will work. Jon, thanks a bunch.
P.S.: I did the dynamic nat.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: