Skip to main content
harmesh88
harmesh88
New Member
November 29, 2019
Question

Source and Destination Nat in One Policy

  • November 29, 2019
  • 3 replies
  • 7031 views

Dear Team ,

 

In our environment we are going to deploy  Cisco Expressway and E setup with Single NIC

 

So i want below NAT translation

 

Can you please help us to write rule for below requirement .

 

Source Original  Destination Original   Source Translated Destination Translated 10.10.10.8      2.2.2.2        1.1.1.1              10.10.10.9 Return 10.10.10.9      1.1.1.1             2.2.2.2        10.10.10.8

 

Actually we are normally doing destination nat By VIP and Source nat by enabling nat in policy ,

 

This requirement has bot NAT so i need to know how to write policy with souce and Destination NAT .

 

Please let us know

 

Find reference from below URL

 

https://ciscokoolaid.wordpress.com/2016/08/05/expressway-single-nic-asa-nat-reflection/

 

Regards,

Harmesh Yadav

 

 

    3 replies

    Nikhil_Chaudhari
    Nikhil_Chaudhari
    New Member
    November 29, 2019

    Hi Harmesh,

     

    Please configure Virtual IP for Cisco-Express-E with public IP by keeping external interface any.

     

    Add policy from Your Cisco-Expresss-C to Cisco-Express-E server with source as Cisco-express-C destination as VIP(Cisco-Express-E) and service as per suggestion. (This policy will be from same interface to same interface which can be called as hairpin NAT as well).

     

    And then configure policy from Outside to inside for accessing Express-E services form outside.

     

    Hope this will resolve your issue

     

    Thanking you.

     

    Regards,

    Nikhil Chaudhari

    emnoc
    emnoc
    New Member
    November 29, 2019

    FWIW; Since this is a FTNT forum, yes you can do SNAT/DNAT in the same policy-id also. 

     

    Ken Felix

     

    harmesh88
    harmesh88Author
    New Member
    December 5, 2019

    When I am doing Hairpin NAT Policy it will automatically do source nat

     

    Myr equirement is

     

    Source 10.10.10.8 should reach public ip of 10.10.10.9(1.1.1.1)

     

    When packet going to 1.1.1.1 it will translated with Gateway ip of 10.10.10.1 - Gateway IP of 10.10.10.8

    harmesh88
    harmesh88Author
    New Member
    December 6, 2019

    Dear Team ,

     

    When we are doing Hairpin NAT

     

    our customer having fortigate installed with firmware version 5.2.2

     

    We need communication between Local IP 10.10.10.8 --> PUB IP 1.1.1.1 (10.10.10.9- LOCAL IP)

     

    when 10.10.10.8 going to communicate with 1.1.1.1 it wil change source to its gateway IP address .

     

    WE dont want source nat we need it should directly talk with PUB IP From 10.10.10.8 to 1.1.1.1

     

    how can we do it ?

    boneyard
    boneyard
    Valued Contributor
    December 7, 2019

    disable NAT on the firewall policy which allows this

     

    you can also put the VIP which does the translation in a interface to same interface policy

    Terms & ConditionsAccessibility statement