cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
5
Helpful
6
Replies

NAT destination on an interface of a CISCO ASA 8.3

khayhuynh
Level 1
Level 1

Hi all,

I have a ASA firewall, version 8.3.

This firewall is connected with 2 interfaces, one for the LAN (let's say that the IP address is 192.168.10.254), and one for the WAN (let's say 10.10.10.254)

Is it possible to configure that kind of NAT:

IP Source                                                            IP destination                                                      Port

192.168.10.0 / 24 (a host on the LAN)         -->      192.168.10.254(LAN interface of the FW)               X

becomes:

IP Source                                                               IP destination                                                  Port

10.10.10.254 (WAN interface of the FW)       -->        15.10.10.254                                                    Y

(and the IP address 15.10.10.254 will be routed with a static route on the FW)

I wonder if this kinf of NAT is supported on the CISCO ASA FW. I know that it's possible on Juniper FW but not the ASA ones...


Many thanks for your help,

Regards

1 Accepted Solution

Accepted Solutions

OK, you can possibly configure the following:

object network obj-192.168.10.0

     subnet 192.168.10.0 255.255.255.0

object network obj-15.10.10.254

     host 15.10.10.254

object network obj-192.168.10.1

     host 192.168.10.1

nat (inside,outside) source dynamic obj-192.168.10.0 interface destination static obj-15.10.10.254 obj-192.168.10.1

For the destination address of 15.10.10.254, you can't NAT it to the inside interface ip address, however, you can NAT it to a unique ip address within the 192.168.10.0/24 subnet.

Hope that makes sense.

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Sorry, I am a bit confused with the IP Source and IP Destination that you posted:

IP Source                                                             IP destination                                                      Port

192.168.10.0 / 24 (a host on the LAN)         -->      192.168.10.254(LAN interface of the FW)               X

Do you mean to say the following:

IP Source                                                             IP destination              Port

192.168.10.0 / 24 (a host on the LAN)         -->      15.10.10.254                 X

becomes:

IP  Source                                                               IP  destination           Port

10.10.10.254 (WAN interface of the FW)       -->        15.10.10.254               Y

If the above is correct, then do you mean to try:

- to NAT all IP address from 192.168.10.0/24 destined to 15.10.10.254 to 10.10.10.254?

OR/

You actually wants to NAT both source and destination as follows:

NAT: 192.168.10.0/24 destined to 15.10.10.254 to 10.10.10.254

and also,

NAT: 15.10.10.254 to 192.168.10.254?

Hello Jennifer,

It's actually the second case: I want to NAT both:

the destination address (before NAT, it's the IP address of the LAN interface of the FW - 192.168.10.254 / after NAT, it's the address 15.10.10.254)

the source address (before NAT, it's an IP on the LAN range / after NAT, it's the adress of the WAN interface of the FW).

For the NAT of the source (the second one), i think it's possible, it's just a PAT.

But i'm not sure with the other one...

Regards,

OK, you can possibly configure the following:

object network obj-192.168.10.0

     subnet 192.168.10.0 255.255.255.0

object network obj-15.10.10.254

     host 15.10.10.254

object network obj-192.168.10.1

     host 192.168.10.1

nat (inside,outside) source dynamic obj-192.168.10.0 interface destination static obj-15.10.10.254 obj-192.168.10.1

For the destination address of 15.10.10.254, you can't NAT it to the inside interface ip address, however, you can NAT it to a unique ip address within the 192.168.10.0/24 subnet.

Hope that makes sense.

It does make sense.

If I can't chose the interface as the nat address, and I have to choose another one in the LAN range (in your example, 192.168.10.1), how are the flows being routed to the Firewall? With the Proxy-ARP activated on the LAN interface, am I right?

Absolutely correct, proxyarp needs to be enabled on LAN interface:

no sysopt noproxyarp inside

Ok, many thanks for your help and quick answers!

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: