Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

help with NAT config on 8.4 ASA


can anyone tell me if it's possible and if so, how to configure the following NAT, where the same source goes to 2 different destinations, but we need them to use the same NAT address. This is on 8.4 version of ASA code. Assume the src is off interface with security level of 0, called "DC" and the destination is off an interface "DMZ" with a security level of 100.   Thanks


src- 192.168.100.100
dst- 172.16.1.100
service- TCP 80 & 443
NAT src to - 10.200.2.5

src- 192.168.100.100
dst- 172.16.1.120
service- TCP 80
NAT src to - 10.200.2.5

6 REPLIES
Community Member

Can you try with this

Can you try with this configuration :

object-network PAT-SOURCE
 host 192.168.100.100
object-network PAT-SOURCE-MAPPED
 host 10.200.2.5
object-network PAT-DESTINATION-1
 host 172.16.1.100
object-network PAT-DESTINATION-2
 host 172.16.1.120
object service SERVICE-1
 service tcp destination eq 80
object service SERVICE-2
 service tcp destination eq 443
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-1 SERVICE-1
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-1 PAT-DESTINATION-1 service SERVICE-2 SERVICE-2
nat (DMZ,DC) source static PAT-SOURCE PAT-SOURCE-MAPPED destination static PAT-DESTINATION-2 PAT-DESTINATION-2 service SERVICE-2 SERVICE-2

 

Community Member

Thanks ,I can give that a try

Thanks ,I can give that a try. My only question is regarding this part of your config:

 

nat (DMZ,DC)

 

why is the destination interface (DMZ) listed first in the syntax, as I thought with the new NAT it goes (src, dst)?

Community Member

DC is security-level 0 and

DC is security-level 0 and DMZ is security-level 100 and the flow of the traffic is from DC to DMZ

Well, to answer this question

Well, to answer this question, static NAT is bidirectional. So, even though you are configuring it  from DMZ to DC it will still NAT from DC to DMZ.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
Community Member

so based on that, would I

so based on that, would I also get the same desired result if I swapped the order and used (DC, DMZ)?

Theoretically, yes.  But it

Theoretically, yes.  But it is not a common practice or best practice to do that.  Since static NAT is bidirectional (unless configured otherwise) NATing traffic from a higher security level to a lower security level has been the commonly approved way to do it.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
66
Views
0
Helpful
6
Replies
CreatePlease to create content