Need some advise on how I perform a static NAT and then Globally NAT the source address. Basically, I need to provide the following NAT
10.1.1.1 -> 10.1.2.1
..where 10.1.1.0 is the outside and 10.1.2.0 is the inside. However, I'm routing across to the NATed address from a remote host (say 10.1.3.1) that also happens to be a connected interface on the same FWSM. So, 10.1.3.1 routes across the network, around the FW, to access the NAT. The request is processed and passed through the FWSM and the return packet from 10.1.2.1 comes back out the 'wrong' interface (10.1.3.0, sort of asymmetric routing, which I've solved with ASR). However, while ASR solves the issue of routing across the FW to a different interface than which the connection originated on, the packet is dropped by the original host (10.1.3.1) as the source address is not the NATed address (10.1.1.1) but the real IP address (10.1.2.1).
So, I figure in order to solve this issue, I need to ensure the packet is processed by the same interface that performs the NAT, both in and out, and I therefore need to change the source IP address as it enters or leaves the inside/outside interface(s) on the FWSM. I've read the docs and worked out I need to provide a nat/global for the packet to change the source IP from 10.1.3.1 to say 10.1.1.2, as such fixing the routing problem so the FWSM will route the packet back out the correct interface and apply the Static NAT IP. However, when the FWSM processes NAT it applies a 'best match policy' where a Static NAT will overide a Policy/Global NAT, so the FWSM effectively ignores the Policy NAT I attempt the apply because it already matches a Static NAT and I can't change the source address.
Does any one have any ideas on how I can get round this? Is there a way I can perform Policy NAT as the packet enters the 10.1.2.0 interface after a Static NAT is performed on the 10.1.1.0 interface?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...