• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8681
  • Last Modified:

Cisco ASA source AND destination NAT

I want host 192.168.1.5 to see host 192.168.2.10 as IP address 192.168.1.10 and I want host 192.168.2.10 to see host 192.168.1.5 as IP address 192.168.1.5

Host(192.168.1.5)-----(192.168.1.1)Router/Firewall(192.168.2.1)----Host(192.168.2.10)

On Cisco IOS I can simply

ip nat inside source static 192.168.1.5 192.168.2.5

ip nat outside source static 192.168.2.10 192.168.1.10

However I'm not aware of a similar solution for an ASA.

Any ideas would be appreciated.
0
MichaelR23
Asked:
MichaelR23
  • 6
  • 4
1 Solution
 
jonhicksCommented:
Assuming out is 192.168.2.x and inside is 192.168.1.x...

Global (out) 10 192.168.2.10
nat (inside) 10 192.168.1.10 255.255.255.255
static (inside,out) 192.168.2.10, 192.168.1.10 netmask 255.255.255.255
0
 
jonhicksCommented:
Ah sorry, scrub that...
1 sec...
0
 
jonhicksCommented:
Hmm, not sure this is possible. Not sure if you can maybe use a combination of static and global commands in both directions to achieve this goal.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
jonhicksCommented:
Global (out) 10 192.168.2.10
nat (inside) 10 192.168.1.10 255.255.255.255
static (inside,out) 192.168.2.5, 192.168.1.5 netmask 255.255.255.255

That will definitely work in one direction, but doing it the other way, as below, may break it. Never tried this before.

Global (inside) 20 192.168.1.5
nat (out) 20 192.168.2.5 255.255.255.255
static (out,inside) 192.168.1.10, 192.168.2.10 netmask 255.255.255.255

0
 
MichaelR23Author Commented:
I think that might work... but I'm not sure that the global/nat are necessary

According to the command reference, the static command is used as follows:

static (real_if, mapped_if) mapped_ip real_ip netmask mask

static (inside,outside) 192.168.2.10 192.168.1.10 netmask 255.255.255.255 -- will translate source address for traffic traversing the firewall from inside to outside or destination address for traffic traversing the firewall from outside to inside

static (outside,inside) 192.168.1.5 192.168.2.5 netmask 255.255.255.255 -- should... translate source address for traffic from outside to inside or destination address from inside to outside

Has anyone tested whether a combination of simply those two commands will provide the source/destination nat I'm requiring?
0
 
jonhicksCommented:
You're probably right, statics in both directions should suffice, making the globals redundant. We got a 515 on our backup DSL line so will have to test this tomorrow...
0
 
MichaelR23Author Commented:
I just tested this on my ASA this morning and only the statics are necessary and it works!
0
 
jonhicksCommented:
Groovy.

And the source IP is correctly translated as well?
0
 
MichaelR23Author Commented:
Technically since the static command is a source based nat

Inside Private Source/Outside Public Destination -> Outside Public Source/Outside Public Destination

The real issue was whether or not it would translate the destination as well as the source, but yes with the second static it translated the destination as well.

Next thing on the list is trying to nat the destination with statics and use pat for the source, but that's just an extension of where we're at.

Thanks for being able to bounce the ideas off!
0
 
MichaelR23Author Commented:
This was all that was necessary and more in fact only the statics were necessary and not the global/nat statements.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now