Solved: Re: Static NAT on 8.4 question

Colin Higgins · ‎10-24-2013

I am running a ASA5545X pair with 8.4 IOS.

I want to make a rule that performs a NAT exemption for one host to any destination (this is because there is another upstream firewall that connects to the Internet, and I want the host to access it with its actualy address).

Would I use an obj-any for this as a destination?

If someone could give me a configuration example, it would be great.

andduart · ‎10-24-2013

Hi,

For further information:

Configuring Identity NAT

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647

View solution in original post

Jouni Forss · ‎10-24-2013

Hi,

Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.

You can confirm the operation with "packet-tracer", for example

packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80

This should show you a NAT Phase (among many other) which keeps the source address unchanged.

Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎10-24-2013

Hi,

I guess you could use Manual NAT to essentially configure Static Identity NAT for this single host

If the information was this

Source interface = LAN
Destination interface = WAN
Host IP = 10.10.10.10

Then the configuration could be

object network HOST

host 10.10.10.10

nat (LAN,WAN) 1 source static HOST HOST

Essentially what this would do is that when the host 10.10.10.10 connects to some destination host then as long as the ASAs routing table points towards WAN interface then this NAT configuration should be applied and let the packet preserve the original source address.

Its a different thing if you want to actually force all traffic from this single host (without NAT) towards any destination address through some interface that does NOT hold the default route.

Hope this helps

- Jouni

andduart · ‎10-24-2013

Hi,

For further information:

Configuring Identity NAT

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1108647

Colin Higgins · ‎10-24-2013

So I don't really need a destination field in this case? So if the internal (actual) address of the host is

192.168.108.4

I would do

object network TEST-HOST

host 192.168.108.4

nat (inside,outside) 1 source static TEST-HOST TEST-HOST

yes?

Jouni Forss · ‎10-24-2013

Hi,

Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.

You can confirm the operation with "packet-tracer", for example

packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80

This should show you a NAT Phase (among many other) which keeps the source address unchanged.

Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Colin Higgins · ‎10-24-2013

yep, that worked

thanks