cisco nat

romidiora
romidiora used Ask the Experts™
on
Hello Experts,
        I have a question specific to NAT on Cisco ASA firewalls . Specifically is it possible to do an overload(PAT) from the outside going to the inside. I know that Cisco ASA can do inbound NAT as a static NAT, or a port redirection. However I have never heard of doing an inbound overload(PAT).  I.e 192.168.0.0/24  from outside get PAT'D to 172.16.1.210 inside address. Any information is greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
No, you cannot do this on ASA.
NAT relies on the keywords inside and outside to determine which way to  do NAT/PAT. So if you have a NAT already setup for outbound traffic I  don't think you can do it. You would have to inverse what interfaces are  defined as the inside and outside if you already have a NAT configured.
yes , but its not the same as when you do pat from inside to outside because you need to apply an access-list to allow that subnet to access the inside:
nat (outside) 1 192.168.0.0 255.255.255.0
global (inside) 1 172.16.1.210 netmask 255.255.255.255
access-list ACCESS_OUT_IN permit ip 192.168.0.0 255.255.255.0 host 172.16.1.210
access-group ACCESS_OUT_IN interface outside

Hope you find this info helpful
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Author

Commented:
So can it be done. Hearing some conflicts
luc_roySystem Admin
Commented:
yes you can do pat from outside to inside

Configure PAT on the outside interface

ASA(config)# global (outside) 1 interface
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Author

Commented:
Great thanks gentlemen.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial