[c-nsp] Possible to make NAT decisions based on source address, on ASA?
Andy Dills
andy at xecu.net
Thu May 17 22:42:58 EDT 2012
On Thu, 17 May 2012, Peter Rathlev wrote:
> On Thu, 2012-05-17 at 14:36 -0400, Andy Dills wrote:
> > So, in essence, I want to consider source address when determining which
> > server on the private network the traffic is NATed to.
> >
> > Is this possible?
>
> No problem. Take a look at "Configuring Dynamic NAT or Dynamic PAT":
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1081940
>
> This is for 8.2 and earlier with the "old" NAT configuration style. With
> version 8.3 or later the commands are different.
>
> Quick example:
>
> ! Policy NAT 20.0.0.0/24 towards 5.5.5.5
> access-list PolicyNAT-example permit ip 20.0.0.0 255.255.255.0 host 5.5.5.5
> nat (inside) 1 access-list PolicyNAT-example
> global (outside) 1 10.0.0.100
> ! Regular NAT everything else
> nat (inside) 2 0.0.0.0 0.0.0.0
> global (outside) 2 10.0.0.200
Yeah, I had looked at that, and it's not quite what I'm trying to
accomplish.
What I want is to take a single public IP and NAT it to two seperate
private IPs, based on source address of the incoming request.
As best I can tell policy NAT is used in situations (such as what you
describe above) where you're trying to dynamically control the source of
queries after translation...
Thanks for your input, and for any other suggestions.
Thanks,
Andy
---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
More information about the cisco-nsp
mailing list