As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.
Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.
So, to be clearer, the scenario is the following:
- When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 220.127.116.11
- When the internal host 192.168.1.1 wants to communicate with external host 18.104.22.168, then the internal host must be translated to 22.214.171.124
We can achieve the functionality above with Policy-Based NAT.
Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 126.96.36.199/24. We will use the public IP range to translate our internal host according to the destination.
! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 188.8.131.52
! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 184.108.40.206 access-list POLICYNAT-A
! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 220.127.116.11 access-list POLICYNAT-B
The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 18.104.22.168.
Similarly, when source address is 192.168.1.1 and destination is 22.214.171.124, then change the source address to 126.96.36.199.
The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
- Cisco ASA Firewall Packet Tracer for Network Troubleshooting
- How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)
- Cisco ASA Virtual Firewall Configuration (with Config Example)
- Cisco ASA Master PassPhrase (How to Show Encrypted Password)