Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT 8.0

Friends,

I have a strange question here please bare  with me if it is funny but it is woking live with thirdparty firewall  which is going to be replaced by the ASA.

Third party firewall is working with below policy and i want to do it in ASA 8.0:

i  have a server in my internal network 192.168.1.1 which accepts only  specific IP's as a source addresses (192.168.10.1 to 192.168.10.100) on a  port 2445 . The connection is initiating from extranet with source ip  address  172.16.10.0/24 to destination virtual IP 192.168.100.1 on a  port 2445 which is then directing traffic to inside server 192.168.1.1  with a source ip address from the pool mentioned above.

This  means the thirdy party firewall is doing  the destination NAT and the  source NAT which are both merged togther to one flow to achieve the  customer requirement,

Can anybody write for me the configs pls.i hope it is a concept of twice nat but how to achieve this in 8.0

2 REPLIES
Super Bronze

NAT 8.0

Hi,

It seems to me that you would need 8.3 software at minimum to achieve that with a single NAT configuration.

I mean when the change of ASA software went from 8.2 -> 8.3 you were now able to NAT both the source and destination IP/network

Heres an example configuration

object network REAL-SOURCE

subnet 172.16.10.0 255.255.255.0

object network MAPPED-SOURCE

subnet 192.168.10.0 255.255.255.0

object network REAL-DESTINATION

host 192.168.1.1

object network MAPPED-DESTINATION

host 192.168.100.1

nat (USERS,SERVER) source static REAL-SOURCE MAPPED-SOURCE destination static MAPPED-DESTINATION REAL-DESTINATION

To my understanding that would mean that while connecting from interface USERS (172.16.10.0/24) to the MAPPED-DESTINATION host on interface SERVER (192.168.100.1) the ASA firewall would NAT your traffic from network 172.16.10.0/24 to network 192.168.10.0/24 while connecting to the actual REAL-DESTINATION address (192.168.1.1)

I'm not sure if theres any way to do it in older software.

Gotta get my morning coffee and think about it after that My head doesnt always work in the morning

Hope this helps

- Jouni

New Member

NAT 8.0

Well, you can do this in 8.0, give this a try

These access list define what to NAT

access-list outnat extended permit ip host 192.168.1.1 192.168.10.0 255.255.255.0

access-list innat extended permit tcp 172.16.10.0 255.255.255.0 host 192.168.100.1 eq telnet

Here is your pool of addresses and NAT statement for it

global (inside) 1 192.168.10.1-192.168.10.100

nat (extranet) 1 access-list innat outside

Here is the Static NAT statement to map 192.168.1.1 to 192.168.100.1

static (inside,extranet) 192.168.100.1  access-list outnat

214
Views
0
Helpful
2
Replies
CreatePlease to create content