Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

Translating PAT From Public IP to Inside Address

Is it possible with the Cisco ASA to translate an outside address to an internal address during PAT? So i want to do is to dynamic outside address translation after the PAT. So if a user on the outside connects to us thru a PAT rule, his outside is translated to an inside address.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Translating PAT From Public IP to Inside Address

Hello Tshi,

You will need:

access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078

nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Translating PAT From Public IP to Inside Address

Hello Tshi,

That new ACL that I provided you is not applied to the outside interface so not worry for that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES

Re: Translating PAT From Public IP to Inside Address

Hello,

So 192.168.12.0/24inside ----ASA------outside2.2.2.0/24

You want that if a outside users go into your network gets patted to 192.168.12.x right??

If that is what you are looking for, yes that is possible on the ASA!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Translating PAT From Public IP to Inside Address

Yes, exactly. I have some PAT commands configured. How do I go by doing that?

static (inside,outside) tcp VIP 3078 172.16.1.68 ssh netmask 255.255.255.255

static (inside,outside) tcp VIP 7500 172.16.1.4 1433 netmask 255.255.255.255

i want when a user establishes a connection to VIP or either port, the public IP address get translated to 172.16.1.x

Translating PAT From Public IP to Inside Address

Hello Tshi,

You will need:

access-list test  permit tcp outside_user_ip host VIP eq 7500

access-list test  permit tcp outside_user_ip host VIP eq 3078

nat (outside) 10 access-list test outside

global (inside) 10 172.166.1.x

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Translating PAT From Public IP to Inside Address

Julio,

Thanks indeed..I will try this shortly. Does it matter if I already have an access-list applied to the outside interface...Or can I just use it  with nat 10?

access-list FROM_INTERNET extended permit tcp any host VIP eq 3078

access-list FROM_INTERNET extended permit tcp any host VIP eq 7500

access-group FROM_INTERNET in interface outside

Translating PAT From Public IP to Inside Address

Hello Tshi,

That new ACL that I provided you is not applied to the outside interface so not worry for that.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Translating PAT From Public IP to Inside Address

Julio,

Thanks indeed...this was extremely helpful.

367
Views
0
Helpful
6
Replies
CreatePlease to create content