topic Re: Having a NAT Problem in Network Security

Having a NAT Problem

brian.emil.harris — Wed, 09 Jun 2021 18:24:26 GMT

So, in this particular configuration, I have an ASA connected to a cable modem, providing me a single static IP.

Cable modem gateway - 1.1.1.2 /30
ASA interface "outside" - 1.1.1.1 /30

I have a DMZ setup, with a single device in it:

ASA interface "dmz" - 2.2.2.1 /30
DMZ device - 2.2.2.2 /30

I need to allow the device in the DMZ to establish an IKEv2/IPSEC tunnel to AWS, and allow AWS to establish the same to the device.

When I try to Static NAT 2.2.2.2 to 1.1.1.1, the ASA won't let me:

[ERROR] nat (dmz-device,outside) static outside-IP
Address 1.1.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

What am I doing wrong in my NAT config / how do I properly NAT this?

Thank you!

Re: Having a NAT Problem

Rob Ingram — Wed, 09 Jun 2021 18:30:10 GMT

@brian.emil.harris try this, use "interface".

object DMZ-DEVICE
 host 2.2.2.2
 nat (dmz,outside) static interface

Re: Having a NAT Problem

brian.emil.harris — Wed, 09 Jun 2021 20:03:00 GMT

Thank you!

Should I be able to successfully packet-tracer this?

Specifically, from the peer IP of the AWS to the external IP/NAT of the interface, udp/500 and see it unwrap and send to the 2.2.2.2 host?

Because my packet-tracer is failing after the ACCESS-LIST, drop by implicit rule...

Re: Having a NAT Problem

Rob Ingram — Wed, 09 Jun 2021 20:20:58 GMT

Yes you can, you need to use the NAT ip address as the destination rather than the real IP address. Provide the output of the CLI for review.

How is your inbound ACL configured?

FYI, You'll also not be able to terminate a VPN on the outside interface as udp/500 is now in use by the NAT object.

Re: Having a NAT Problem

brian.emil.harris — Wed, 09 Jun 2021 21:22:57 GMT

Alright, so, issuing the NAT command as:

object network dmz-device
nat (dmz,outside) static interface

gives me:

[WARNING] nat (dmz,outside) static interface
All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

No problems there.

Packet tracer now works:

packet-tracer input outside udp 3.3.3.3 500 4.4.4.4 500 det

Packet allowed. I don't know why it wasn't. I blew away the NAT, recreated it, and just re-attemped the packet-tracer, and everything works as expected.

I'm going to leave it alone.

Thanks for the caveat about not being able to establish a VPN on that interface. That shouldn't be a problem. I've got another interface that all of my other S2S tunnels are on, this particular one involves a vendor's "closed" system necessitating the dedicated cable modem link/interface and using their device sitting in my DMZ as the VPN peer for that setup.

Thank you again!!!