Solved

policy and static NAT

Posted on 2013-10-25
3
535 Views
Last Modified: 2013-11-09
Experts,

NAT on an ASA 8.2.5 code.

I have a policy based NAT below that translates 50.50.50.13 to appear as 10.20.20.20 when it initiates traffic to 10.10.10.10

access-list nat123 extended permit ip host 50.50.50.13 host 10.10.10.10
nat (dmz) 1005 access-list nat123
global (inside) 1005 10.20.20.20

I have the below static NAT that translates the destination of 10.20.20.20 to 50.50.50.13 when traffic is received on the inside interface.

static (dmz,inside) 10.20.20.20 50.50.50.13 netmask 255.255.255.255

My question, is there a way I can accomplish both with just 1 STATIC NAT? Can I add something to the end of the static NAT to make it apply the other way (when 50.50.50.13 initiates the traffic)?  Or would both be needed to do the source and destination NAT. Assume that I can't route 50.50.50.13 in my internal network and that's why I am doing this.
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:trojan81
ID: 39603291
anyone?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39604957
Take a look here, this is called Twice NAT, the one you are looking for

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_rules.html#wp1132640
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 39604963
By the way, your static NAT works both ways by default

static (dmz,inside) 10.20.20.20 50.50.50.13 netmask 255.255.255.255

You just need a policy static NAT


access-list nat123 extended permit ip host 50.50.50.13 host 10.10.10.10
static (inside,dmz) 10.20.20.20 access-list nat123

This one will work both ways with your policy (traffic from 50.50.50.13 to 10.10.10.10)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question