Using ASA/PIX with policy NAT to map an inside host
Possible scenarios when using policy NAT would be:
- a LAN has private IP addresses that connect to the Internet using NAT overload; one host from this LAN needs to be accessed from outside with a public IP address only from certain hosts
- a branch of an organization has a testbed with IP addresses that are routed only in the local network. In order to give access from other hosts in the intranet to a host in the testbed a PIX/ASA firewall is used to map the private IP address of the testbed host to a enterprise-wide routed IP that will be accessed only from authorised IPs.
We'll be tackling the latter situation. Here's the network diagram of our example:
Networks behind R are: a enterprise-routed VLAN (10.100.1.0/24) and a testbed VLAN (192.168.0.0/24) which only has static routes on R and FW. The desire is that host H2 could be accessed from the outside of the FW, only from 10.200.1.2. The IP address that will be mapped on the FW should be from the 10.100.1.0/24 subnet.
This can be accomplished using policy NATting on the FW firewall. In order to do this we need to create an ACL that will filter only specified IP pairs that will trigger NAT. The translation policy should look like this:
access-list acl_name permit ip real_ip real_mask foreign_ip foreign_mask
To keep the ACL manageable we'll use on object-group that contains the foreign_ip
object-group network mapping
description List of IPs that can do policy NAT
network-object host 10.200.1.2
The ACL in our case is:
access-list policynat extended permit ip host 192.168.0.2 object-group mapping
Finally, to do the mapping we'll use a static translation:
static (inside,outside) 10.100.1.3 access-list policynat
10.100.1.3 is the mapped IP address. To test the configuration ping 10.100.1.3 from 10.200.1.2. The result is that FW will translate 10.100.1.3 to 192.168.0.2 which takes the route through R and then H2.
ciscoasa# sh natuntranslate_hits
NAT policies on Interface inside:
match ip inside host 192.168.0.2 outside host 10.200.1.2
static translation to 10.100.1.3
translate_hits = 10, untranslate_hits = 3
are traffic from IPs other than 10.200.1.2