topic ASA Auto NAT applying two rules in Network Security

ASA Auto NAT applying two rules

mohamed shazly — Tue, 14 Feb 2023 15:48:18 GMT

Dears ;

I have a basic question regarding auto nat .
I have below scenario :
I have asa with two interfaces (inside and outside) (192.168.35.200/24 & 192.168.25.200/24)
i have two Linux machines (192.168.35.68 & 192.168.25.30) and have ASA as GW .
two Linux machines have auto nat configuration.

When I initiate ssh from 192.168.35.68 to 192.168.200.30 ,Does the two auto nat rules will be applied?

object network 192.168.35.68
host 192.168.35.68
object network obj-192.168.25.30
host 192.168.25.30
object network 192.168.35.68
nat (inside,outside) static obj-192.168.200.68
object network obj-192.168.25.30
nat (outside,inside) static obj-192.168.200.30

Re: ASA Auto NAT applying two rules

mohamed shazly — Tue, 14 Feb 2023 15:50:02 GMT

SRC 192.168.35.68 will be source-Natted to 192.168.200.68 And DST 192.168.200.30 will be D-Natted to 192.168.25.30 at a time ??

Re: ASA Auto NAT applying two rules

MHM Cisco World — Tue, 14 Feb 2023 15:52:21 GMT

this need to test I will try run lab and check

Re: ASA Auto NAT applying two rules

Karsten Iwen — Tue, 14 Feb 2023 15:55:32 GMT

Your config doesn't make any sense to me. What exactly do you want to achieve? With RFC1918 on both sides you likely don't need any NAT and can do pure routing and access-control. But if you really want to NAT source and destination at the same time, you should do it with a manual- or twice-NAT config.

Re: ASA Auto NAT applying two rules

mohamed shazly — Tue, 14 Feb 2023 15:57:09 GMT

I have tested it , just need to be sure about it from more experienced engineer .
Below is test :

Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68)
Try ping from from linux machine (192.168.35.68) to Pre-NAT IP (192.168.200.30)
All tests works fine

Fourth :
Show commands==>when Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68) :

ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 8
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 8
ciscoasa#

Cleared Nat counters==>When Try ping from from linux machine (192.168.35.68) to Pre-NAT IP (192.168.200.30)
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 6
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 6
ciscoasa#

Cleared Nat counters===>when Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 0
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 0, untranslate_hits = 1
ciscoasa#

Attached Packet tracer file for ssh connection (not detailed and detailed)

Re: ASA Auto NAT applying two rules

mohamed shazly — Tue, 14 Feb 2023 15:59:38 GMT

@Karsten Iwen
i understand you .
Just need to confirm if two auto nat rules can be applied at time if there is matching traffic

Re: ASA Auto NAT applying two rules

MHM Cisco World — Tue, 14 Feb 2023 16:42:39 GMT

I know what you try to do,
if the client in IN and want to access Server in IN then client must use public IP of Server (instead of private IP) so you need one NAT not two as show below