07-16-2013 11:55 PM - edited 03-11-2019 07:13 PM
Hi guys,
I'm trying to configure NAT on an ASA in the folowing way:
IN 192.168.1.1:443 <- 172.16.1.1:443 OUT - static PAT
IN 192.168.1.13:25 <- 172.16.1.1:25 OUT - static PAT
IN 192.168.1.1, 1.13 -> 172.16.1.1 OUT
IN 192.168.1.0/24 -> 172.16.1.2 OUT - dynamic PAT
how can I map only the 192.168.1.1 and 1.13 to the external ip 172.16.1.1 when they send traffic out?
everything else should go out with 172.16.1.2.
Thanks.
Solved! Go to Solution.
07-17-2013 12:08 AM
Hi,
If I understood you correctly you want to do the following
I think the following should accomplish this
STATIC PAT
object network STATIC-PAT-HTTPS
host 192.168.1.1
nat (inside,outside) static 172.16.1.1 service tcp https https
object network STATIC-PAT-SMTP
host 192.168.1.13
nat (inside,outside) static 172.16.1.1 service tcp smtp smtp
SERVER DYNAMIC PAT
object-group network SERVERS-PAT-SOURCE
network-object host 192.168.1.1
network-object host 192.168.1.13
object network SERVER-PAT
host 172.16.1.1
nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT
DEFAULT DYNAMIC PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
object network DEFAULT-PAT
host 172.16.1.2
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT
Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.
Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations
Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-17-2013 12:08 AM
Hi,
If I understood you correctly you want to do the following
I think the following should accomplish this
STATIC PAT
object network STATIC-PAT-HTTPS
host 192.168.1.1
nat (inside,outside) static 172.16.1.1 service tcp https https
object network STATIC-PAT-SMTP
host 192.168.1.13
nat (inside,outside) static 172.16.1.1 service tcp smtp smtp
SERVER DYNAMIC PAT
object-group network SERVERS-PAT-SOURCE
network-object host 192.168.1.1
network-object host 192.168.1.13
object network SERVER-PAT
host 172.16.1.1
nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT
DEFAULT DYNAMIC PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
object network DEFAULT-PAT
host 172.16.1.2
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT
Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.
Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations
Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-17-2013 12:32 AM
Hi Jouni,
thanks for the reply.
it works great.
Thanks.
07-17-2013 01:30 AM
Hi Jouni,
short question.
how can I integrate the NAT exemption rules for VPN traffic?
if I run a packet tracer, with the regular NAT exemption and the section 3 rules, the packet will be dropped.
eg: nat (inside,outside) source static LAN LAN destination static VPN VPN -> this will end up in Section 1/Manual NAT and will not be matched.
LAN: 192.168.1.0
Thanks.
07-17-2013 01:33 AM
Hi,
I am not quite sure I follow you.
Are you saying that you have some NAT Exempt rule for VPN traffic and its not getting matched at all?
Could you share the "packet-tracer" command you used and the NAT Exempt configuration with the object configurations included.
- Jouni
07-17-2013 01:45 AM
my bad .
previously I modified the object to another range.
it works as expected.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide