Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Twice NAT due to asymmetric routing

I have a business requirement that has traffic for an application going through firewall A and web traffic through firewall B. Due to specilized routing need for this application, if a user outside the network tries to access our public facing web servers we end up with the traffic entering firewall B and leaving firewall A, so asymmetric routing.

 

What I would like to do is bring in all traffic coming from 123.123.123.0/24 (outside) destined for 222.222.222.222 (NATed to 11.11.11.11 inside) and NAT it to those external address to 10.10.10.0/24.

 

I think that this is a twice NAT but haven't been able to follow the Cisco examples as they are taking a internal host and NATing them outbound, I'm looking to do the reverse.

3 REPLIES
Super Bronze

Hi, You did not mention the

Hi,

 

You did not mention the software version of your ASA. Twice NAT is easier and more common on the 8.3+ software levels.

 

So if I understood correctly the internal server should be NATed to 222.222.222.222 from the real IP address 11.11.11.11 and the external source subnet 123.123.123.0/24 should be NATed to 10.10.10.0/24 when connecting to the menioned NAT IP address of 222.222.222.222?

 

If so then the configuration in 8.3+ format could be

 

object network SERVER-REAL
 host 11.11.11.11

 

object network SERVER-MAPPED
 host 222.222.222.22

 

object network EXT-SUBNET-REAL
 subnet 123.123.123.0 255.255.255.0

 

object network EXT-SUBNET-MAPPED
 subnet 10.10.10.0 255.255.255.0

 

nat (inside,outside) source static SERVER-REAL SERVER-MAPPED destination static EXT-SUBNET-MAPPED EXT-SUBNET-REAL

 

Naturally the above "object" names are more meant to give you an idea of what purpose they hold. A better naming policy could surely be used. :)

 

The above NAT configuration would do a 1:1 Static NAT for the source addresses as the real and mapped subnet are of equal size. You could change this to Dynamic PAT if the actual situation holds different size subnets.

 

Hope this helps :)

 

- Jouni

New Member

We are currently running 8.4

We are currently running 8.4.2, this head cold is preventing me from remembering vital details today.

Super Bronze

Hi, In that case your ASA

Hi,

 

In that case your ASA should support the above configuration format.

 

Naturally I don't know what the interfaces are called on your ASA. Also I personally like to look at the big picture especially when doing any special NAT configurations. Just so that I don't mess anything up :)

 

- Jouni

84
Views
0
Helpful
3
Replies
CreatePlease to create content