Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Destination Nat

Hi Guys,

I have a scenario, explained below.

I am at site A from Site A I want reach 10.10.10.1/24 with the isp given nated ip range 172.16.10.0/24
How should be my nat statements access list and routes in both firewalls

SITE A
----------

I create a ACL source 192.168.11.0/24 destn 10.10.10.1/24 / 172.16.10.0/24 ?
route for 10.10.10.1/24 / 172.16.10.0/24
and how should be the nat statement .

I am also confused about the ASA order of operation

First look for ACL ? source 192.168.11.0/24  destn 10.10.10.1/24
then it look for nat , get natted to 172.16.10.0/24
then looks for route to reach 172.16.10.0/24 ?

Please let me know how to go about with the configuration

hope I am doing a destination nat here or please suggested how to setup this configuration

Thanks in advance ; Diagram attached

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Firewall Destination Nat

Thanks, that's a lot clearer now

Site A:

access-list nat-siteA permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0

static (inside,outside) 192.168.11.0 access-list nat-siteA

Site B:

access-list nat-siteB permit ip 10.10.10.0 255.255.255.0 192.168.11.0 255.255.255.0

static (inside,outside) 172.16.0.0 access-list nat-siteB

So I assume that the real subnet at site A is 192.168.10.0/24, and the real subnet at site B is 10.10.10.0/24.

7 REPLIES
Cisco Employee

Firewall Destination Nat

What is your ASA version? there is different syntax for version 8.2 and below, with version 8.3 and above.

New Member

Firewall Destination Nat

Thanks Jennifer , The ASA version is 8.2(1) so its not the latest one

Cisco Employee

Firewall Destination Nat

Here you go:

access-list nat-siteA-siteB permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0

static (inside,outside) 172.16.10.0 access-list nat-siteA-siteB

BTW, what you are trying to achieve is called source NAT (policy source NAT to be exact).

New Member

Re: Firewall Destination Nat

Thanks , I am not sure If I put accross the question in the correct way

Isp said I will be accessing 10.10.10.0/24 network from Site A by using the 172 network . (as we have multiple subnets in site B ISP allocate each subnet from thier end which routed in thier network

The source is getting natted to another subnet say 192.168.11.x which is routed in isp

so from site A

TRAFFIC FLOW

-------------------------

From Site A Source  192 .168.10.x when go out from site A source get nated to 192.168.11x

From Site A the destination is 172.16.x.x. 

172.16.x.x.

when the packet reach site B firewall souce is 192.168.11x destn is 172.16.x.x. and site B firewall nat 172.16.x.x. to 10.10.10.0/24

So this is my requirement

both firewall has inside and outside interface

Thanks

New Member

Re: Firewall Destination Nat

I have updated my question above

Cisco Employee

Re: Firewall Destination Nat

Thanks, that's a lot clearer now

Site A:

access-list nat-siteA permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0

static (inside,outside) 192.168.11.0 access-list nat-siteA

Site B:

access-list nat-siteB permit ip 10.10.10.0 255.255.255.0 192.168.11.0 255.255.255.0

static (inside,outside) 172.16.0.0 access-list nat-siteB

So I assume that the real subnet at site A is 192.168.10.0/24, and the real subnet at site B is 10.10.10.0/24.

New Member

Re: Firewall Destination Nat

Thanks a lot Jennifer . I will get this configured  . Appreciate your help .

548
Views
0
Helpful
7
Replies
CreatePlease to create content