As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.
Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.
So, to be clearer, the scenario is the following:
- When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 18.104.22.168
- When the internal host 192.168.1.1 wants to communicate with external host 22.214.171.124, then the internal host must be translated to 126.96.36.199
We can achieve the functionality above with Policy-Based NAT.
Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 188.8.131.52/24. We will use the public IP range to translate our internal host according to the destination.
! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 184.108.40.206
! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 220.127.116.11 access-list POLICYNAT-A
! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 18.104.22.168 access-list POLICYNAT-B
The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 22.214.171.124.
Similarly, when source address is 192.168.1.1 and destination is 126.96.36.199, then change the source address to 188.8.131.52.
The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).
- Cisco ASA Firewall Packet Tracer for Network Troubleshooting
- How to Pass BGP Sessions through Cisco ASA Firewall (BGP Pass Through)
- Cisco ASA Virtual Firewall Configuration (with Config Example)
- Cisco ASA Master PassPhrase (How to Show Encrypted Password)
- How to Configure Static Routing on Cisco ASA Firewall