Configuration:
Step1: Create an object for inside network
ASA84# show run objectStep2: Add an object for dmz hosts, I firstly create object for FTP host called FTP-SERVER. This is real IP address of FTP server.
object network LAN
subnet 192.168.1.0 255.255.255.0
ASA84# show run objectStep3: Add an object for mapped IP address, in this case I use 172.16.1.13 for FTP server and name the object PAT1
object network FTP-SERVER
host 172.16.1.10
ASA84# show run objectStep4: Configure nat function inside PAT1 object
object network PAT1
host 172.16.1.13
ASA84# show run nat | grep PAT1In this command, I use dynamic nat for source address:
nat (inside,dmz) source dynamic LAN PAT1 destination static FTP-SERVER FTP-SERVER
-LAN: the real source address.
- PAT1: mapped source address.
-destination: options for dest address, because the destination address is not changed, so last two options are the same.
-FTP-SERVER (1st): mapped destination address.
-FTP-SERVER (2nd): real destination address.
Similar steps to SSH-SERVER:
Object for SSH server:
ASA84(config)# show run object172.16.1.14 is the mapped address for ssh connections from LAN.
object network SSH-SERVER
host 172.16.1.15
ASA84(config)# show run objectNAT command inside PAT2
object network PAT2
host 172.16.1.14
ASA84(config)# show run nat | grep PAT2Verify SSH connection:
nat (inside,dmz) source dynamic LAN PAT2 destination static SSH-SERVER SSH-SERVER
FTP connection:
Hi, Cuong!
ReplyDeleteI've the scenario when I should statically translate source address to 4 different addresses for 4 different destinations. Could you briefly explain how to achieve this by using twice NAT? I would really appreciate your help.
Great blog by the way:)