We help IT Professionals succeed at work.

Cisco ASA source AND destination NAT

MichaelR23
MichaelR23 asked
on
Medium Priority
8,981 Views
Last Modified: 2012-05-06
I want host 192.168.1.5 to see host 192.168.2.10 as IP address 192.168.1.10 and I want host 192.168.2.10 to see host 192.168.1.5 as IP address 192.168.1.5

Host(192.168.1.5)-----(192.168.1.1)Router/Firewall(192.168.2.1)----Host(192.168.2.10)

On Cisco IOS I can simply

ip nat inside source static 192.168.1.5 192.168.2.5

ip nat outside source static 192.168.2.10 192.168.1.10

However I'm not aware of a similar solution for an ASA.

Any ideas would be appreciated.
Comment
Watch Question

Commented:
Assuming out is 192.168.2.x and inside is 192.168.1.x...

Global (out) 10 192.168.2.10
nat (inside) 10 192.168.1.10 255.255.255.255
static (inside,out) 192.168.2.10, 192.168.1.10 netmask 255.255.255.255

Commented:
Ah sorry, scrub that...
1 sec...

Commented:
Hmm, not sure this is possible. Not sure if you can maybe use a combination of static and global commands in both directions to achieve this goal.
Commented:
Global (out) 10 192.168.2.10
nat (inside) 10 192.168.1.10 255.255.255.255
static (inside,out) 192.168.2.5, 192.168.1.5 netmask 255.255.255.255

That will definitely work in one direction, but doing it the other way, as below, may break it. Never tried this before.

Global (inside) 20 192.168.1.5
nat (out) 20 192.168.2.5 255.255.255.255
static (out,inside) 192.168.1.10, 192.168.2.10 netmask 255.255.255.255

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I think that might work... but I'm not sure that the global/nat are necessary

According to the command reference, the static command is used as follows:

static (real_if, mapped_if) mapped_ip real_ip netmask mask

static (inside,outside) 192.168.2.10 192.168.1.10 netmask 255.255.255.255 -- will translate source address for traffic traversing the firewall from inside to outside or destination address for traffic traversing the firewall from outside to inside

static (outside,inside) 192.168.1.5 192.168.2.5 netmask 255.255.255.255 -- should... translate source address for traffic from outside to inside or destination address from inside to outside

Has anyone tested whether a combination of simply those two commands will provide the source/destination nat I'm requiring?

Commented:
You're probably right, statics in both directions should suffice, making the globals redundant. We got a 515 on our backup DSL line so will have to test this tomorrow...

Author

Commented:
I just tested this on my ASA this morning and only the statics are necessary and it works!

Commented:
Groovy.

And the source IP is correctly translated as well?

Author

Commented:
Technically since the static command is a source based nat

Inside Private Source/Outside Public Destination -> Outside Public Source/Outside Public Destination

The real issue was whether or not it would translate the destination as well as the source, but yes with the second static it translated the destination as well.

Next thing on the list is trying to nat the destination with statics and use pat for the source, but that's just an extension of where we're at.

Thanks for being able to bounce the ideas off!

Author

Commented:
This was all that was necessary and more in fact only the statics were necessary and not the global/nat statements.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.