Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Source NAT based on Destination from ASA

I have an ASA connected to an rfc1918 network via a cryptomap.

[inside:10.0.0.1:ASA :99.99.99.99:outside]<--- cryptomap vpn ---->[ another ASA ]<--->192.168.1.10

Now 192.168.1.10 can ping (and get icmp echo replies) from 10.0.0.1, but when I try to ping 192.168.1.10 from the ASA it'self, the syslog shows an error:

Deny IP spoof from (99.99.99.99) to 192.168.1.10 on interface outside.

So how do I apply an access list to the internal interface of the ASA that will allow me to "nat 0" it's own internal interface? Usually the access lists are set up so that packets coming *into* the interface can be nat exempted, but how do I do it if the packet originates from the ASA?

In iptables, I'd do something like:

/sbin/iptables -t nat -A POSTROUTING -s 99.99.99.99/32  -d 192.168.1.0/24  -j SNAT --to-source 10.0.0.1

which says "if the source is 99.99.99.99 and it's bound for 192.168.1.0/24, source nat it to 10.0.0.1.

How do I do this with an ASA running PIXOS 8.x ?

Everyone's tags (4)
1446
Views
0
Helpful
0
Replies
CreatePlease to create content