Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to nat source IP inbound on asa5510 outside interface

Hi

I have a query which is frankly stumping me at the moment.

A customer has a couple of web servers on their internal network. They need to provide access from external hosts to these servers on port 443. They have an ASA5510 which has static NAT to translate the inbound destination IP from an external address to the real internal address of the servers.  This all works fine as proved with 'capture'. I can see inbound packets being translated and squirted out the inside interface to the servers, via an internal L3 switch.

However, the ASA is NOT the default gateway of the internal L3 switch, so responses from the servers hit their default gw (the L3 switch) which for obvious reasons doesn't have a seperate route for every single internet host, so the L3 switch forwards the response to it's default gw which is a different firewall (not the ASA the request came in on).

So the problem is the client never sees the response from the server.

Without changing the default gw of the L3 switch, I believe the only way around this problem is to get the ASA to translate the inbound SOURCE IP address as well as the destination, so that the L3 switch can forward the responses from the server back to the ASA correctly.

However I'm unsure on how this should be configured.

Thanks in advance for any suggestions!

Everyone's tags (3)
3 REPLIES
Cisco Employee

Re: how to nat source IP inbound on asa5510 outside interface

Your idea is a good idea. You can use policy static or policy nat.

static (outside,inside) inside_address access-list change-source-ip

access-list change-source-ip permit ip host source_ip_internet host webserver_ip_public

nat (outside) access-list change-source-ip outside ---> you need the keyword outside

global (inside) interface

-KS

New Member

Re: how to nat source IP inbound on asa5510 outside interface

Thanks!!! This policy nat helped me resolve an SSL vpn client issue.

Cisco Employee

Re: how to nat source IP inbound on asa5510 outside interface

Hello,

Most optimum would be to use the correct defualt gateway, but if that is not possible, you can use policy NAT like below :


If a host (160.1.1.1) on outside world would like to access a website (192.168.1.1) on inside using a public IP (160.1.1.2)

access-list policy extended permit tcp host 160.1.1.1 192.168.1.1
Static (inside,outside) 160.1.1.2 access-list policy

nat (outside) access-list policy outside

global (inside) interface

Reason you need to use outside keyword, is that you are trying to use NAT for a lower security interface.

HTH

Vijaya

3155
Views
5
Helpful
3
Replies
CreatePlease login to create content