As we know, the conventional NAT functionality on Cisco devices (routers, ASA firewalls etc) translates the SOURCE IP address to something else. There is also the so called “Destination based NAT” (or you may see it referred as “Reverse NAT”) which changes the destination IP address. Here we will deal with conventional source based NAT with a policy.
Sometimes we need to change the source IP address to another source address (lets call it “translated-A”) when we are communicating with “destination-A”, and also change the source IP to “translated-B” when we are communicating with “destination-B”.
So, to be clearer, the scenario is the following:
- When internal host 192.168.1.1 wants to communicate with external host 100.100.100.1, then the internal host must be translated to 50.50.50.1
- When the internal host 192.168.1.1 wants to communicate with external host 200.200.200.1, then the internal host must be translated to 50.50.50.2
We can achieve the functionality above with Policy-Based NAT.
Configuration Example:
Assume that the internal host 192.168.1.1 is connected to the inside interface of ASA. We have also in our possession the public IP range 50.50.50.0/24. We will use the public IP range to translate our internal host according to the destination.
! First create the access lists for the policy NAT
ASA(config)# access-list POLICYNAT-A extended permit ip host 192.168.1.1 host 100.100.100.1
ASA(config)# access-list POLICYNAT-B extended permit ip host 192.168.1.1 host 200.200.200.1
! Now create the static NAT translation for Destination-A
ASA(config)# static(inside,outside) 50.50.50.1 access-list POLICYNAT-A
! Now create the static NAT translation for Destination-B
ASA(config)# static(inside,outside) 50.50.50.2 access-list POLICYNAT-B
The above commands will do the following: When source address is 192.168.1.1 and destination address is 100.100.100.1, then change the source address to 50.50.50.1.
Similarly, when source address is 192.168.1.1 and destination is 200.200.200.1, then change the source address to 50.50.50.2.
The above static nat commands will only take effect if and only if the traffic is between the hosts referenced in the access-lists (either inbound or outbound traffic).
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)