Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

8.2 Destination NAT Configuration

I cannot figure out how to NAT the destination field in the IP Packet. I have tried a few different things.

We have a server that needs to connect over a VPN to an IP that we currently have in-use. I have chosen the 192.168.13.x /24 network to use for NAT on the ASA.   (I would advertise the remote server as 192.168.13.10)

Untitled.png

10.1.40.10 needs to connect to 172.16.0.100 over the VPN and retain the source IP but change the destination ip from 192.168.13.10 to 172.16.0.100 once it passes through the ASA.

I figure some kind of policy-NAT that could translate the destination?

This is my guess but I know it is not right... It seems like this would change the source

access-list PNAT ex permit ip host 10.1.40.10 host 192.168.13.10

static (inside,outside) 172.16.0.100 access-list PNAT

Thank You!!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

8.2 Destination NAT Configuration

Jeremy

Do you need policy NAT as the only time you go to that IP is down the VPN ? 

Can you try this -

static (outside, inside) 192.168.13.10 172.16.0.100 netmask 255.255.255.255

if you need policy NAT just create an acl for the specific traffic and tie it to the NAT statement.

Jon

4 REPLIES
Hall of Fame Super Blue

8.2 Destination NAT Configuration

Jeremy

Do you need policy NAT as the only time you go to that IP is down the VPN ? 

Can you try this -

static (outside, inside) 192.168.13.10 172.16.0.100 netmask 255.255.255.255

if you need policy NAT just create an acl for the specific traffic and tie it to the NAT statement.

Jon

New Member

8.2 Destination NAT Configuration

Hi John,

I thought policy NAT becuse I only wanted to  NAT that particulat flow. I didn't want to possibly break other VPN's that use this server, or break its other NAT configurations.

I just GNS3'd this up and I think it worked. I just am not sure how to write the ACL for the policy NAT.

I tried:

access-list PNAT extended permit ip host 172.16.0.100 host 10.1.40.10

static (OUT,IN) 192.168.13.10 access-list PNAT

This didn't work like I was hoping.

I'm not use to seing the outside come first: (outside,inside).

Thank You!

Hall of Fame Super Blue

Re: 8.2 Destination NAT Configuration

Jeremy

To be honest i have only ever done this type of NAT from inside to outside so you may have to play around with the acl although i can't say for sure it will work as i have never tested it.

I only asked about whether you needed to use an acl because it is not the source IP you are translating but only the destination IP so the only time you ever go to that address from the inside is via the VPN.

Jon

New Member

8.2 Destination NAT Configuration

This did seem to work. I couldn't figure out how to add an ACL to make it more of a policy-nat.

I ended up asking the admin on the remote side to configure policy-NAT on his ASA and after he did that I didn't have to worry about doing NAT on my end.

Thanks!!

205
Views
0
Helpful
4
Replies