SNAT

melwin.uk · ‎04-13-2010

Hi

Consider I got static NAT for a host on ASA, then traffic from outside to inside is DNAT and traffic inside to outside is SNAT.

Is the above correct

Thanks

Mel

Jennifer Halim · ‎04-13-2010

Yes, you are right.

Example:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

Outbound traffic from inside to outside, 10.1.1.1 will be NATed to 200.1.1.1

Inbound traffic from outside to inside towards 200.1.1.1 will be NATed back to 10.1.1.1

As per stated in Firewall forum:

https://supportforums.cisco.com/message/3053002#3053002

melwin.uk · ‎04-13-2010

Hi

The example you mentioned is exactly what I got, but does it fullfill the following need in Step 1, its not clear to me.

Step 1 – Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface

In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT) device. However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.

If you do so, configure the NAT as a destination network address translation (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (SNAT). The A/V Edge server external interface will have a private IP address, as shown in Figure 1.2.

Jennifer Halim · ‎04-13-2010

Yes, it would definitely fullfil the requirement.