Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TWO Way NAT in Cisco ASA

Hi,

Is it possible to do the two way(I mean both source and destination ) in cisco ASA firewall?

Regards

Mathew

8 REPLIES
New Member

TWO Way NAT in Cisco ASA

Hi,

Is it possible to do the two way (I mean both source and destination ) NAT in cisco ASA firewall?

Regards

Mathew

Cisco Employee

Re: TWO Way NAT in Cisco ASA

Yes, you can perform both source and destination NAT on ASA.

Check out this sample configuration on the "alternative solution: destination NAT" section:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Hope that helps.

New Member

Re: TWO Way NAT in Cisco ASA

Thanks Halijenn for your response.

I don't see both source and destination NAT in the example which you sent. My requirement is very simple...

I got a source network (say x.x.x.x/y) which is accessing the y.y.y.y/x(real ip) beyond the ASA firewall.My requirement is that this both source and destination address should not see each other with their real address..

When the source packet (x.x.x.x/y) reaches the ASA firewall it should be dynamically or PAT to say a.a.a.a/b and at the same time y.y.y.y/x should be statically NAT to say c.c.c.c/d in the ASA firewall itself.

Can you please advice whether this is possible in ASA and if please send me link explaining similar example?

Thanks for all your support.

Regards

Mathew

Cisco Employee

Re: TWO Way NAT in Cisco ASA

OK, here is an example:

Inside interface of ASA - 10.1.1.1 (security level 100)

Outside interface of ASA - 200.1.1.1

Host on the inside with ip address of 10.1.1.8 needs to be PATed to the ASA outside ip address.

Inside host is trying to reach destination of 100.1.1.1 (real), but you would like to NAT this destination to say 10.1.1.20

Here is the configuration:

nat (inside) 5 10.1.1.8 255.255.255.255

global (outside) 5 interface

static (outside,inside) 10.1.1.20 100.1.1.1 netmask 255.255.255.255

When inside host trying to access the outside host of 100.1.1.1, it should access it via its NATed ip of 10.1.1.20

Hope that helps.

New Member

Re: TWO Way NAT in Cisco ASA

Thanks a ton for your quick response.

In my case the scenario is just opposite to this. There are few users sitting at the outside of my firewall need to access a server in the inside interface.

When a user tries to access to the server's NAT ip ,should get statically translated to server's real ip and at the same time , the source ip of the packet should get dynamically natted to the inteface ip.

Could you please advice on the possiblities for this along with the configuration?

Regards
Mathew

Cisco Employee

Re: TWO Way NAT in Cisco ASA

Sure, in that case, you should have the following configuration:

Assuming, the server is 10.1.1.8 --> statically NATed to 200.1.1.8

Outside hosts (100.1.1.1, 150.1.1.1, 170.1.1.1) needs to be PATed to inside interface ip address.

Configuration:

static (inside,outside) 200.1.1.8 10.1.1.8 netmask 255.255.255.255

access-list outside-pat permit ip host 100.1.1.1 host 200.1.1.8

access-list outside-pat permit ip host 150.1.1.1 host  200.1.1.8

access-list outside-pat permit ip host 170.1.1.1 host  200.1.1.8

nat (outside) 5 access-list outside-pat outside

global (inside) 5 interface

OR, if you would like all hosts on the outside to be PATed to the inside, you can just have the following access-list:

access-list outside-pat permit ip any host  200.1.1.8

Hope that helps.

New Member

TWO Way NAT in Cisco ASA

Hi All,

Just one question,

what will check first Destinaion or source  NAT.  At which time both will Apply on Packet.

Regards

A.N

Re: TWO Way NAT in Cisco ASA

Hello Ank,

the destination of the traffic goes first

Here is the lab I just made to explain it.

ciscoasa(config)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0         outside                4.4.4.4         255.255.255.0   manual

GigabitEthernet1         inside                 192.168.12.1    255.255.255.0   manual

ciscoasa(config)# sh run object network

object network Local

subnet 192.168.12.0 255.255.255.0

object network Remote_real

subnet 192.168.13.0 255.255.255.0

object network Remote_Fake

subnet 192.168.14.0 255.255.255.0

object network Fake_lan

subnet 10.10.10.0 255.255.255.0

show run nat

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Here is the result of the test ( Inside- to outside flow)

    packet-tracer input inside tcp 192.168.12.2 1025 192.168.14.10 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.14.10/80 to 192.168.13.10/80

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.12.2/1025 to 10.10.10.2/1025

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So we can see the translation happens first from the destination of the traffic

Now traffic from the external LAN to the inside fake lan :

packet-tracer input outside tcp 192.168.13.20 1025 10.10.10.10.2

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

NAT divert to egress interface inside

Untranslate 10.10.10.2/80 to 192.168.12.2/80

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

Static translate 192.168.13.20/1025 to 192.168.14.20/1025

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Local Fake_lan destination static Remote_Fake Remote_real

Additional Information:

So as you can see againg the destination of the traffic gets un-translated first

Hope this helps

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5885
Views
0
Helpful
8
Replies
CreatePlease login to create content