[c-nsp] Twice NAT sanity check
Randy
randy_94108 at yahoo.com
Fri Dec 13 19:00:16 EST 2013
asa 5555x ver 9.1
Is there any reason why one or both twice-nat rules below would NOT work:
object-group network Web-Real
network-object host 10.5.0.1
network-object host 10.5.2.10
network-object host 10.5.3.25
object-group network Web-Mapped
network-object host 74.209.247.50
network-object host 208.70.89.30
network-object host 208.72.89.31
object-group network vpn-local
network-object 172.29.0.0 255.255.0.0
nat(web-dmz, outside) 1 source static Web-Real Web-Real destination static vpn-local vpn-local no-proxy-arp route-lookup
(section 1 of nat table ordered manually to nat-exempt)
nat(web-dmz, outside) 2 source static Web-Real Web-Mapped destination static any any no-proxy-arp route-lookup
(section 1 of nat table static NAT for all other destinations reachable via outside-int)
10.5.0.1 <-> 74.209.247.50
10.5.2.10 <-> 208.70.89.30
10.5.3.25 <-> 208.72.89.31
My google foo has failed me here and I haven't found anything by Cisco explicitly prohibiting the above.
My assumption that the above should work is based on:
Prerequisites for Twice NAT
•For both the real and mapped addresses, configure network objects or network object groups (the object network or object-group network command). Network object groups are particularly useful for creating a
mapped address pool with discontinuous IP address ranges or multiple
hosts or subnets. To create a network object or group, see the "Configuring Network Objects and Groups" section in the general operations configuration guide.
Thanks,
./Randy
More information about the cisco-nsp
mailing list