Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Upgrading to 9.1: Source NAT migration

 

We are migrating to 9.1 and need to update our NAT config. I'm a bit confused about how to do Source Natting in 8.3+

 

Our Current setup translates the source IP to the inside interface address of the ASA:

SNAT IP: 10.0.0.1

Server: 10.0.0.2

 

 

global (inside) 2 10.0.0.1

nat (outside) 2 0.0.0.0 0.0.0.0 outside

nat (outside) 0 access-list 21

 

access-list 21 extended deny ip any host 10.0.0.2

access-list 21 extended permit ip any any

 

 

I've been at this for a while. Any thoughts?

1 REPLY
Super Bronze

Hi, So the above NAT

Hi,

 

So the above NAT configuration basically has a Dynamic PAT from "outside" to "inside" and it also has a NAT0 configuration for all traffic from "outside" to any other destination subnet/interface though it does have a line that prevents NAT0 when the destination IP address for a connection is 10.0.0.2

 

I guess in your situation you would be fine with just a single NAT configuration in the new software. You would configure a type of Dynamic Policy PAT configuration where the Dynamic PAT translation would be performed from "outside" to "inside" only if the destination IP address is 10.0.0.2.

 

For example

 

object network SERVER
 host 10.0.0.2

nat (outside,inside) after-auto 1 source dynamic any interface destination static SERVER SERVER

 

The above configuration would match traffic coming from behind "outside" interface from "any" source address and destined to destination address "SERVER" and the source address would be translated to the "interface" IP address which in this case is the IP address of the "inside" interface. You could use a different IP address and in that case you would configure an additional "object" and configure the IP address under that object and use that object in the "nat" configuration instead of the parameter "interface".

 

Any traffic that did not match the above NAT configuration would go through the firewall (if allowed by all the other configurations) without any NAT, so you dont really require a NAT0 configuration in this case.

 

Hope I made any sense and hope it helps :)

 

- Jouni

22
Views
0
Helpful
1
Replies