10-24-2013 12:58 PM - edited 03-11-2019 07:56 PM
I am running a ASA5545X pair with 8.4 IOS.
I want to make a rule that performs a NAT exemption for one host to any destination (this is because there is another upstream firewall that connects to the Internet, and I want the host to access it with its actualy address).
Would I use an obj-any for this as a destination?
If someone could give me a configuration example, it would be great.
Solved! Go to Solution.
10-24-2013 01:12 PM
Hi,
For further information:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647
10-24-2013 01:20 PM
Hi,
Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.
You can confirm the operation with "packet-tracer", for example
packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80
This should show you a NAT Phase (among many other) which keeps the source address unchanged.
Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-24-2013 01:05 PM
Hi,
I guess you could use Manual NAT to essentially configure Static Identity NAT for this single host
If the information was this
Then the configuration could be
object network HOST
host 10.10.10.10
nat (LAN,WAN) 1 source static HOST HOST
Essentially what this would do is that when the host 10.10.10.10 connects to some destination host then as long as the ASAs routing table points towards WAN interface then this NAT configuration should be applied and let the packet preserve the original source address.
Its a different thing if you want to actually force all traffic from this single host (without NAT) towards any destination address through some interface that does NOT hold the default route.
Hope this helps
- Jouni
10-24-2013 01:12 PM
Hi,
For further information:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647
10-24-2013 01:17 PM
So I don't really need a destination field in this case? So if the internal (actual) address of the host is
192.168.108.4
I would do
object network TEST-HOST
host 192.168.108.4
nat (inside,outside) 1 source static TEST-HOST TEST-HOST
yes?
10-24-2013 01:20 PM
Hi,
Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.
You can confirm the operation with "packet-tracer", for example
packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80
This should show you a NAT Phase (among many other) which keeps the source address unchanged.
Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-24-2013 01:35 PM
yep, that worked
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: