There is an existing rule already on ASA :
So what I did :
Step 1. Add a new access-list PNAT-T:
access-list PNAT-T extended permit ip host 172.17.1.3 host 200.200.200.200
Step 2. Add a new access-list
FW1/act/pri(config)# static (dmz,outside) 200.147.90.83 access-list PNAT-T
INFO: overlap with existing static
Alphadmz:172.17.1.3 to outside:200.147.90.89 netmask 255.255.255.255
But during testing, it was not working. Lets take a look Cisco NAT Order:
Why? After google online, I found it is because of the order of NAT in ASA.
Why? After google online, I found it is because of the order of NAT in ASA.
"
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the adaptive security appliance.
The tricky part is #2 contains NAT and PAT as well as regular and policy. So there are 4 iterations in that one section. The go in the order they were entered into the config.
"
Last step, adjust the order of NAT, put Policy NAT before regular static NAT. Everything works like a charm!!
Note: To understand Cisco NAT better, the post "彻底了解CISCO NAT的一些事" will give more explanation.
Reference:
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the adaptive security appliance.
"
Last step, adjust the order of NAT, put Policy NAT before regular static NAT. Everything works like a charm!!
Note: To understand Cisco NAT better, the post "彻底了解CISCO NAT的一些事" will give more explanation.
Reference:
No comments:
Post a Comment