09-16-2014 05:44 AM - edited 03-11-2019 09:45 PM
can anyone tell me if it's possible and if so, how to configure the following NAT, where the same source goes to 2 different destinations, but we need them to use the same NAT address. This is on 8.4 version of ASA code. Assume the src is off interface with security level of 0, called "DC" and the destination is off an interface "DMZ" with a security level of 100. Thanks
src- 192.168.100.100
dst- 172.16.1.100
service- TCP 80 & 443
NAT src to - 10.200.2.5
src- 192.168.100.100
dst- 172.16.1.120
service- TCP 80
NAT src to - 10.200.2.5
09-16-2014 06:33 AM
Can you try with this configuration :
object-network PAT-SOURCE
host 192.168.100.100
object-network PAT-SOURCE-MAPPED
host 10.200.2.5
object-network PAT-DESTINATION-1
host 172.16.1.100
object-network PAT-DESTINATION-2
host 172.16.1.120
object service SERVICE-1
service tcp destination eq 80
object service SERVICE-2
service tcp destination eq 443
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-1 SERVICE-1
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-2 SERVICE-2
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-2 PAT-DESTINATION-2 service SERVICE-2 SERVICE-2
09-16-2014 06:42 AM
Thanks ,I can give that a try. My only question is regarding this part of your config:
nat (DMZ,DC)
why is the destination interface (DMZ) listed first in the syntax, as I thought with the new NAT it goes (src, dst)?
09-16-2014 06:45 AM
DC is security-level 0 and DMZ is security-level 100 and the flow of the traffic is from DC to DMZ
09-16-2014 10:35 AM
Well, to answer this question, static NAT is bidirectional. So, even though you are configuring it from DMZ to DC it will still NAT from DC to DMZ.
--
Please remember to select a correct answer and rate helpful posts
09-16-2014 10:45 AM
so based on that, would I also get the same desired result if I swapped the order and used (DC, DMZ)?
09-16-2014 11:41 AM
Theoretically, yes. But it is not a common practice or best practice to do that. Since static NAT is bidirectional (unless configured otherwise) NATing traffic from a higher security level to a lower security level has been the commonly approved way to do it.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide