ASA static NAT 8.2 code

interface GigabitEthernet1/1
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0


interface GigabitEthernet1/2
 nameif BlueDMZ
 security-level 50
 ip address 50.50.50.1


Assume that I can't route 50.50.50.0/24 on my internal Network. I have a route redistributed into the routing table to send 60.60.60.0/24 to the Firewall.

I want a computer on the inside 10.10.10.10 to send to 60.60.60.60 and when it hits the firewall, static nat the destination to 50.50.50.50

How will the static NAT look?
trojan81Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
Why do you want to NAT it, just route it? use the identity NAT

static (inside, BlueDMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

else

static (inside, BlueDMZ) 60.60.60.60 10.10.10.10 netmask 255.255.255.255


harbor235 ;}
0
JZeollaCommented:
# access-list nat-me permit ip host 50.50.50.50 host 10.10.10.10
# static (BlueDMZ,inside) 60.60.60.60 access-list nat-me

That'll do what you're asking.  Let me know how it works.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harbor235Commented:
Here is the correct command syntax for regular static NAT;

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask]


Here is the policy NAT syntax that is incorrect in jzeolla post  but the overall method is correct.

static (real_interface,mapped_interface) mapped_ip, access-list acl_name

good link:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html


harbor235 ;}
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

trojan81Author Commented:
harbor, the reason for doing this is assume I can't route 50.50.50.0/24.

I need to adjust this question...now i have to assume I can't route 50.50.50.0/24.

If I pick an unused IP on the inside interface (10.0.0.10) and NAT that to 50.50.50.50 would that work?

Meaning if I do this:

static (inside, BlueDMZ) 10.0.0.10 50.50.50.50 netmask 255.255.255.255


Would it accomplish this: user sends to 10.0.0.10, traffic hits the firewall and gets destination NAT'd to 50.50.50.50 and sent to BLUEDMZ?
0
JZeollaCommented:
@trojan81

Please use my configuration, it is valid.  

@harbor235

My configuration is not incorrect... It is a policy based static DESTINATION NAT. Please do not make misleading and inaccurate comments.  

What it will do is this:
1. If 10.10.10.10 makes an outbound connection to 60.60.60.60, the destination 60.60.60.60 will be NATted to 50.50.50.50.
2. All traffic arriving inbound on the dmz interface coming from 50.50.50.50 destined for 10.10.10.10, will be source NATted behind 60.60.60.60.

If you need a further explanation just let me know.  Thanks,

JZeolla
0
trojan81Author Commented:
JZeolla, yes your suggestion worked. Thank you!

I had the interfaces in the brackets backwards.

Also thank you too, Harbor!
0
harbor235Commented:
Thats nice, but it kind of defeats the purpose if a DMZ host can initiate a connection to the inside network. Inside to DMZ should be allowed and DMZ to outbound. DMZ can participate in a flow that was originated from the inside but it cannot originate one to the inside. Just because it works does not mean you should do it.

My config is source nat and the connection must originate from the inside, and it works as well.


harbor235 ;}
0
JZeollaCommented:
@harbor235

That is not the role of NAT, NAT is only used to obfuscate and translate addresses (Or not do so, with NAT exemptions).  Controlling traffic should be done by ACLs.  Also, it does not defeat the purpose of a DMZ, they are meant to RESTRICT access not STOP access.  There are tons of cases where DMZ servers would require traffic be initiated inbound.  

Also, it doesn't matter if I set it up for inside to DMZ, or DMZ to inside the rule would work both ways no matter how it's applied.  Again, this is because it is not NAT's job to restrict traffic.  

Finally, your configuration wouldn't even work in this situation, so I'm not sure why you're arguing.  You posted a configuration that would either identity NAT (Doesn't fix anything) or NAT the inside to 60.60.60.60, which also doesn't fix anything.  You incorrectly analyzed the question and falsely accused my configuration of being wrong and you still got points.  You should be happy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.