We help IT Professionals succeed at work.

ASA NAT problem, Can I perform src and dst NAT at the same time on inbound traffic?

620 Views
Last Modified: 2012-05-08

I have a client that is running an ASA5505 ver 8.0(4). They have traffic coming from the outside int going to an inside int and they require both the src and dst addresses to be natted. as below.
10.0.0.0 --> 204.0.0.0 ----  they want to hide the src 10.0.0.0 behind outgoing int (not an issue, using static for this)
plus NAT the dst 204.0.0.0 --> 192.0.0.0 - This I am having issues with.
Is it possible to perform Src and Dst nat at the same time on the ASA? I have been told to look into policy NAT but can't find a lot of info on it.
Cheers Chris
Comment
Watch Question

Commented:
Only one translation will be used, the order is:
1. NAT exempt
2. Static
3. NAT+Global

The policy NAT is used with the static statement, and allows you to make a granular list of what should be translated based on destination/source address/prototol/service.

To understand your situation better:
Are you looking for a solution where packets coming from destination 204.0.0.0 (outside) being translated to 192.0.0.0 (inside)?

If so, yes you can do that with policy NAT, but only for specific ports and protocols.
Example:
#static (inside,outside) tcp 204.0.0.1 80 192.0.0.1 80

That'd create a translation from packets coming from 204.0.0.1 on tcp port 80 to 192.0.0.1, outgoing port 80 on you inside interface.

Author

Commented:
Hi Perry

The traffic will be coming from the 10.0.0.0 address which is classed as the outside interface. It is trying to connect to a virtual address which is the 204. address which needs to be natted to the real 192. address. At the same time though the source needs to be hidden behind the internal interface address so when it leaves the firewall the source will be the internal firewall interface and the dest will be the real server address 192.0.0.0.

I was researching this myself last night and came up with the following. Please see all addresses as hosts.

access-list acl_outside_in extended permit tcp host 10.0.0.0 host 204.0.0.0 object-group PORTS_IN log
access-list acl_inside_in extended permit tcp host 192.0.0.0 host 10.0.0.0 object-group PORTS_OUT log
access-list acl_NAT_outside permit ip host 10.0.0.0 host 204.0.0.0
static (inside,outside) 204.0.0.0 192.0.0.0 netmask 255.255.255.255
nat (outside) 10 access-list acl_NAT_outside
global (inside) 10 interface

Does that look like a viable solution to what I am trying to do? We have a change window tonight but if it's not going to work I would rather let the client know before hand.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Perry

Thanks for that, seems crazy to me that the src and dst can't be natted at the same time. The client discarded a checkpoint solution when the firewalls were installed due to the fact 'they wouldn't be using a lot of NAT' Think they may regret that decision shortly :-)

Thanks for the responses!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.