topic Re: Hide a subnet to another subnet - NAT in Network Security

Hide a subnet to another subnet - NAT

Ditlev Weinreich — Tue, 15 Dec 2020 08:18:49 GMT

An easy question for the experienced Cisco Community.

I'm configuring an ASA5506 for a simple task. Yes, I know - it's old, but that's what I got right now.

I need to isolate an IoT-subnet inside my LAN and I figured that the best way to do it, is to use an ASA. The IoT-subnet is 192.168.1.x/24, but I already have that subnet routed somewhere else in my LAN, so I want to use the ASA to NAT the 192.168.1.x/24 to another subnet that I can accept. I allready tried to convince the provider of the IoT-devices to change the IP's of the IoT-devices to reconfigure to the subnet I can accept, but unfortunately it's too late.

MY LAN --- (outside) ASA5506 (inside) --- 10.150.128.0/24 seen from MY LAN (but really 192.168.1.x/24)

ex. So if I ping 10.150.128.5 from MY LAN, I actually get 192.168.1.5 and so forth.

How do I do this in CLI?

Best regards

Re: Hide a subnet to another subnet - NAT

Ditlev Weinreich — Tue, 15 Dec 2020 08:55:55 GMT

Hi again

I found another discussion that is very similair to what I am trying to achieve. I'm a bit uncertain if it works. Right now I'm preconfiguring the ASA, before installing it at the location.

Can you see if I've done it right?

interface GigabitEthernet1/1
nameif RK-LAN
security-level 100
ip address 10.100.20.20 255.255.252.0
!
interface GigabitEthernet1/2
nameif CTS-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0

object network CTS-LAN
subnet 192.168.1.0 255.255.255.0
object network CTS-LAN-nat
subnet 10.150.128.0 255.255.255.0

nat (CTS-LAN,RK-LAN) source static CTS-LAN CTS-LAN-nat
route RK-LAN 0.0.0.0 0.0.0.0 10.100.1.1 1

RK-ASA-CTS# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from CTS-LAN:192.168.1.0/24 to RK-LAN:10.150.128.0/24
flags sT idle 0:00:46 timeout 0:00:00
NAT from RK-LAN:0.0.0.0/0 to CTS-LAN:0.0.0.0/0
flags sIT idle 0:00:46 timeout 0:00:00

Best regards

Re: Hide a subnet to another subnet - NAT

gbekmezi — Tue, 15 Dec 2020 15:04:21 GMT

Your static default route isn’t on the same subnet as RK-LAN interface. So that would be an issue if there is an effort to communicate outside the network. Also, it looks like part of the nat configuration line is missing in the output you provided but based on the output of show xlate it looks like that part is configured correctly.

If I were you I would test it before sending it out. You would just need two laptops to test it.

Re: Hide a subnet to another subnet - NAT

Ditlev Weinreich — Tue, 15 Dec 2020 16:46:21 GMT

Hi Gbekmezi

You are right about the default route. It was a mistake.

Thanks a lot.