Cisco ASA Twice-NAT

This is a real world scenario where I needed to route traffic from a private subnet via secondary router when a particular set of servers on a secure external network needed to be accessed.All three VLANs on the ASA were private subnets so NAT had been configured to allow traffic to be routed correctly.

!
object network inside_network_subnet  
  subnet 10.0.30.0 255.255.255.0  
object network dmz_network_subnet  
  subnet 10.0.20.0 255.255.255.0  
!  
nat (inside,outside) source dynamic inside_network_subnet interface  
nat (dmz,outside) source dynamic dmz_network_subnet interface  
!  
route outside 0.0.0.0 0.0.0.0 10.0.10.2 1  
!
To make this work without configuring the routes on each PC behind the ASA we need to configure TWICE-NAT to match packets attempting to access the secure network and NAT them to the DMZ interface. From there a route is configured on the DMZ interface to route these packets to the secure network router.
!
object network secure_network  
  subnet 10.1.1.2 255.255.255.0  
!  
nat (inside,dmz) source dynamic inside_network_subnet interface destination static secure_network secure_network  
!  
route dmz 10.1.1.2 255.255.255.0 10.0.20.2 1  
!

asa_double_nat

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: