Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static and dynamic nat together

Hello, let me ask you if it is possible..

I have the following right now :

nat (dmz,ext) source static obj-192.168.15.87 obj-172.31.22.55 destination static obj-172.20.22.0

..so network 172.20.22.0/24 can connect to 192.168.15.87 through nat 172.31.22.55

Now.. I would need a second nat, which would be dynamic nat, so that 172.20.22.0/24 would be dynamically patted to ip 192.168.15.66 outbound from dmz interface. It means that server 192.168.15.87 will see connections not from real network 172.20.22.0/24 but from 192.168.15.66/32. Is that possible or does it create problems having a static and a dynamic nat on the same firewall ? I cannot test it unfortunately.

 

Thank you 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, I always like to look at

Hi,

 

I always like to look at the current NAT configuration before adding anything new. In your case I guess would need to configure the "nat" command a bit differently if you wanted to combine both the Dynamic PAT and the Static NAT into the same command.

 

Something like this

 

nat (ext,dmz) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The above configuration should match connections coming from behind "ext" interface from source network 172.20.22.0/24 towards the NAT IP address of 172.31.22.55 to the "dmz" after which the destination IP address 172.31.22.55 would be UN-NATed to 192.168.15.87 and the source IP address 172.20.22.x would be PATed to 192.168.15.66

 

I did a brief test on my home ASA with the following configuration

object network obj-172.20.22.0
 subnet 172.20.22.0 255.255.255.0
object network obj-192.168.15.66
 host 192.168.15.66
object network obj-192.168.15.87
 host 192.168.15.87
object network obj-172.31.22.55
 host 172.31.22.55

nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The "packet-tracer" test seems to match this configuration and does the translations. Here are the NAT phases from the output.

 

The command used was

packet-tracer input WAN tcp 172.20.22.100 12345 172.31.22.55 80

 

In my configuration "WAN" corresponds "ext" and "LAN" corresponds to "dmz"

 

 

UN-NAT of the destination IP

 

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
NAT divert to egress interface LAN
Untranslate 172.31.22.55/80 to 192.168.15.87/80

 

NAT of the source IP address

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
Dynamic translate 172.20.22.100/12345 to 192.168.15.66/12345

 

Hope this helps :)

 

- Jouni

 

2 REPLIES
Super Bronze

Hi, I always like to look at

Hi,

 

I always like to look at the current NAT configuration before adding anything new. In your case I guess would need to configure the "nat" command a bit differently if you wanted to combine both the Dynamic PAT and the Static NAT into the same command.

 

Something like this

 

nat (ext,dmz) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The above configuration should match connections coming from behind "ext" interface from source network 172.20.22.0/24 towards the NAT IP address of 172.31.22.55 to the "dmz" after which the destination IP address 172.31.22.55 would be UN-NATed to 192.168.15.87 and the source IP address 172.20.22.x would be PATed to 192.168.15.66

 

I did a brief test on my home ASA with the following configuration

object network obj-172.20.22.0
 subnet 172.20.22.0 255.255.255.0
object network obj-192.168.15.66
 host 192.168.15.66
object network obj-192.168.15.87
 host 192.168.15.87
object network obj-172.31.22.55
 host 172.31.22.55

nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87

 

The "packet-tracer" test seems to match this configuration and does the translations. Here are the NAT phases from the output.

 

The command used was

packet-tracer input WAN tcp 172.20.22.100 12345 172.31.22.55 80

 

In my configuration "WAN" corresponds "ext" and "LAN" corresponds to "dmz"

 

 

UN-NAT of the destination IP

 

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
NAT divert to egress interface LAN
Untranslate 172.31.22.55/80 to 192.168.15.87/80

 

NAT of the source IP address

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,LAN) source dynamic obj-172.20.22.0 obj-192.168.15.66 destination static obj-172.31.22.55 obj-192.168.15.87
Additional Information:
Dynamic translate 172.20.22.100/12345 to 192.168.15.66/12345

 

Hope this helps :)

 

- Jouni

 

New Member

It seems to be working in a

It seems to be working in a test environment!

39
Views
0
Helpful
2
Replies