Normally when I setup a Public to Private NAT on a Cisco ASA firewall (Version 8.3+) I have one outside interface and one inside interface. Recently, I was asked to setup a Public to Private mapping on two internal interface. The NAT had been setup for a while, then the systems team wanted to add another function to communicate to the same outside IP address, but from another DMZ on the firewall.

At first, I went to the existing object group and issued the nat statement with the new DMZ interface name. Once I did this, it removed the existing NAT statement. After some digging, I figured out that I need an object for each NAT statement. Below I have an example of the configuration that is needed to have NAT on two different internal interfaces.

Outside Public IP = 192.168.1.55

Inside Private IP = 10.10.10.55

object network snat-10.3.255.15-DMZ-1

host 192.168.1.55

nat (outside,DMZ-1) static 10.10.10.55

object network snat-10.3.255.15-DMZ-2

host 192.168.1.55

nat (outside,DMZ-2) static 10.10.10.55





As you can see, the two objects use the same public and private IPs. The key is to have different names on the object. Once you do this you will have two similar lines in the xlate table, one for each internal interface.

Share this: Tweet









Like this: Like Loading...