Single host with static NAT inbound, dynamic NAT outbound
I need to find out how to configure an ASA 5520 to accomodate an outbound xlate using the normal global pool, if it has an outside to inside static xlate defined. The outside to inside static translate uses a phantom global address and the inside hosts physical address to accomodate inbound traffic from a remote L2L VPN connection. This works fine. My problem is that when the host attempts sending internet bound traffic that is not traversing the VPN, it is using the static NAT. As the traffic egresses to the internet, the newly translated source address is the phantom, (10.x.x.x) address.
I am trying to determine how to force internet bound traffic from this host to use the normal NAT/Global configuration that is in place listed here:
Re: Single host with static NAT inbound, dynamic NAT outbound
Thanks for your response.
I don't necessarily need to use a dynamic xlate outbound so much as just come up with something that will allow the internal server to be able to access the internet.
The basic requirments of the vendor VPN connection is that they need to route traffic to us over the ipsec tunnel using a specific 10.x.x.x address whose subnet does not exist on the firewall. I am just statically translating this 10.x.x.x address to the correct inside address, which works fine for the vendor to access our internal server. The problem is that when the internal server sends outbound traffic to the internet instead of the vendor VPN tunnel, the source IP is translated to the non-routable 10.x.x.x address.
I looked at policy static nat, using an ACL to determine vendor vs. internet traffic, but there are two issues that I am unsure of. 1. Will these NATs allow outside to inside traffic based on the ACL applied to the interface, and 2. Since no "deny" statements are allowed in the ACL, I am doing two ACLs, one with a /32 match on the vendor VPN traffic and another ACL with a match on 0.0.0.0/0, hoping the vendor will take the more specific ACL match. I am putting the policy static nat commands in this order.
I have a time scheduled next week to try this config and see if it works.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :