Cisco ASA policy based static destination NAT
икони цениикониThe Cisco documentation (for example this) explains how to do policy based source NATting on a Cisco ASA device. However, it doesn’t explain how to do the same for edfaдиваниpolicy based destination NAT. A colleague (hi, Kristof! :P) and me have been trying to get policy based static destination NATting working an on ASA.
First of all, policy or host-based static source NAT translates the source of a connection to another ip address when connecting to a specific host. This specific NATting is explained in the Cisco document.
For example, let’s assume host 192.168.10.1 (’behind’ the inside interface of the ASA) wants to connect to host 10.0.10.1 (on the dmz interface of the ASA) and we want the source (192.168.10.1) to be translated to 172.16.10.1, but only for this specific connection.
On the ASA, the following will do the trick:
asa(config)# access-list nat-me permit ip host 192.168.10.1 host 10.0.10.1
asa(config)# static (inside,dmz) 172.16.10.1 access-list nat-me
The real source IP address (192.168.10.1) is translated to 172.16.10.1 only if traffic is destined for 10.0.10.1. The same static entry will also change the destination address from 172.16.10.1 to 192.168.10.1 if traffic is sourced from host 10.0.10.1. So far so good.
However, suppose we want to connect from 192.168.10.1 to 10.0.10.1. However, for the sake of argument, we cannot connect directly to 10.0.10.1 because of a company policy saying that we cannot use or see any 10.0.0.0/8 address on the inside network. We can use another address, namely 172.16.10.1. So we want 192.168.10.1 to connect to 172.16.10.1 which is translated on the ASA to the real ip address, 10.0.10.1 in the dmz interface. So instead of policy based source NATting, we are going to create a policy based destination NAT.
On the ASA, we have to configure the following:
asa(config)# access-list nat-me permit ip host 10.0.10.1 host 192.168.10.1
asa(config)# static (dmz,inside) 172.16.10.1 access-list nat-me
This will do 2 things:
1. If 192.168.10.1 makes an outbound connection to 172.16.10.1, the destination 172.16.10.1 will be NATted to 10.0.10.1.
2. All traffic arriving inbound on the dmz interface coming from 10.0.10.1 destined for 192.168.10.1, will be source NATted behind 172.16.10.1.
The syntax is a little weird, but it does seem to work :)
As an extra, if we do the following:
asa(config)# access-list nat-me permit ip host 10.0.10.1 host 192.168.10.1
asa(config)# static (dmz,inside) 172.16.10.1 access-list nat-me
asa(config)# access-list nat-me permit ip host 10.0.10.2 host 192.168.10.1
asa(config)# access-list nat-me permit ip host 10.0.10.3 host 192.168.10.1
The following will happen:
1. If 192.168.10.1 makes an outbound connection to 172.16.10.1, the destination 172.16.10.1 will be NATted to 10.0.10.1. It will never be natted to 10.0.10.2 or 10.0.10.3 as far as we’ve been able to tell.
2. All traffic arriving inbound on the dmz interface coming from 10.0.10.1, 10.0.10.2 or 10.0.10.3 destined for 192.168.10.1, will be source NATted behind 172.16.10.1.
Note:лаптоп If you want to add multiple access-list rules (as in our last example), you’ll have to add them after you’ve put in the static, otherwise you’ll get an error when trying to add those extra access-lists…
Have fun!