ASA Static Policy NAT and PAT

I am having trouble understanding the logic behind this nat command. In all pervious examples the translated address was given in the command after the interfaces. However here we specify an interface after the interfaces and the translated address is in the ACL. When you specify the interface keyword it seems to change the logic.

Task: Telnet sessions sourced from R1's Loopback0 and destined to ASA1's VLAN 49 should be redirected to R2's Loopback0.

 

Soultion:

access-list R2_LO0_NAT permit tcp host 150.1.2.2 eq 23 host 150.1.1.1
static (VLAN59,VLAN49) tcp interface 23 access-list R2_LO0_NAT

Comments

  • Hi,

        It is the same, as "interface" keyword, being the ASA interface IP address, it means that's the translated address. The way you read the NAT statement, if you had to expand the ACL, it would be:

    tcp 150.1.2.2 23 (if source is 150.1.1.1).static (VLAN59,VLAN49) tcp interface 23 

    Regards,
    Cristian.
  • Ok i get it now. The task ask for traffic from R1 to R2 (VLAN49 to VLAN59). It ask you to translate the DESTINATION address from ASA1 VLAN49 to R2 Lo0. Seeing how we are translating a destination we need to flip the flow around and create the policy.

    So when we flip the flow traffic is now flowing from R2 to R1 (VLAN59 to VLAN49). The traffic is being SOURCE from R2 Lo0 DST to R1 Lo0. Which give us our ACL SRC and DST IPs with the TCP port for telnet as a source port, because telnet is directed at R2. And we are translating our SRC R2 Lo0 to the ASA1 VLAN49 interface which give us the interface keyword in the MAPPED portion of the command.

     

    Thanks for helping me understand better. Having more experience with 8.3 NAT we dont need to flip the flow to make it work. However Pre 8.3 we need to flip the flow to get the translation right.

Sign In or Register to comment.