Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT on 8.4 question

I am running a ASA5545X pair with 8.4 IOS.

I want to make a rule that performs a NAT exemption for one host to any destination (this is because there is another upstream firewall that connects to the Internet, and I want the host to access it with its actualy address).

Would I use an obj-any for this as a destination?

If someone could give me a configuration example, it would be great.

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Static NAT on 8.4 question

Super Bronze

Static NAT on 8.4 question

Hi,

Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.

You can confirm the operation with "packet-tracer", for example

packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80

This should show you a NAT Phase (among many other) which keeps the source address unchanged.

Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

5 REPLIES
Super Bronze

Re: Static NAT on 8.4 question

Hi,

I guess you could use Manual NAT to essentially configure Static Identity NAT for this single host

If the information was this

  • Source interface = LAN
  • Destination interface = WAN
  • Host IP = 10.10.10.10

Then the configuration could be

object network HOST

host 10.10.10.10

nat (LAN,WAN) 1 source static HOST HOST

Essentially what this would do is that when the host 10.10.10.10 connects to some destination host then as long as the ASAs routing table points towards WAN interface then this NAT configuration should be applied and let the packet preserve the original source address.

Its a different thing if you want to actually force all traffic from this single host (without NAT) towards any destination address through some interface that does NOT hold the default route.

Hope this helps

- Jouni

New Member

Re: Static NAT on 8.4 question

New Member

Static NAT on 8.4 question

So I don't really need a destination field in this case? So if the internal (actual) address of the host is

192.168.108.4

I would do

object network TEST-HOST

host 192.168.108.4

nat (inside,outside) 1 source static TEST-HOST TEST-HOST

yes?

Super Bronze

Static NAT on 8.4 question

Hi,

Yes, that should be it especially since you seem to configure it for destination interface "outside" which most likely holds the default route on the ASA.

You can confirm the operation with "packet-tracer", for example

packet-tracer input inside tcp 192.168.108.4 12345 1.1.1.1 80

This should show you a NAT Phase (among many other) which keeps the source address unchanged.

Let us know if it worked for you. If not then we will have to look at the "packet-tracer" output closely and perhaps the configurations.

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

Static NAT on 8.4 question

yep, that worked

thanks

103
Views
0
Helpful
5
Replies
CreatePlease login to create content