topic Hi Ajay, in Network Security

Static NAT to Outside interface

Afrederick123 — Tue, 12 Mar 2019 09:20:20 GMT

Hi Guys,

I have the following configured: ASA-5506 >>> ROUTER >>> ISP

I have a range of public ip addresses of which the first X.X.X.49 is on the router interface and I need to have .50 traffic go to the ASA. I have already configured the router with a static route to pass all X.X.X.50 traffic to the ASA outside interface using the following:

IP ROUTE X.X.X.50 255.255.255.255 192.168.56.2

But what I'm struggling to configure is the static nat on the ASA. I'm finding lots of documentation on static nat to devices in the DMZ or Inside zones but nothing on how to make the Outside interface accept traffic for an IP address that isn't it's own.

Any ideas welcome.

Please understand the requirement before answering, I need the OUTSIDE interface(IP address 10.0.0.1) to accept traffic for (210.0.0.50)

Hello,

Ajay Saini — Wed, 10 May 2017 13:19:00 GMT

Hello,

Apart from Static NAT, you need to add below command:

arp permit-nonconnected

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a3.html

It will proxy arp on behalf of subnets that are not on ASA and for which NAT is configured.

HTH

-AJ

Hi Ajay,

Afrederick123 — Wed, 10 May 2017 13:34:25 GMT

Hi Ajay,

Thanks for the reply. My question was more "What does the NAT COMMAND look like or what is the NAT COMMAND?"

And possibly would it be easier to do the Natting on the router.

Thanks

ASA will accept any traffic

Ajay Saini — Wed, 10 May 2017 13:48:14 GMT

ASA will accept any traffic that comes on outside interface for 210.0.0.50 provided we have a NAT statement. The NAT statement depends on the requirement here - do you need 210.0.0.50 for PATing inside users trying to access internet or you want a static NAT in order to map some inside/dmz user with 210.0.0.50 to allow inbound connectivity.

Below link, although is a comparison of 8.2 and 8.3 onwards NATs, but it consists of pretty much all possible NATs.

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Let me know the requirement and I can point into right direction.

-AJ

Hi Ajay,

Afrederick123 — Wed, 10 May 2017 15:27:52 GMT

Hi Ajay,

As I stated originally, I need traffic for the 210.0.0.50 IP address to come to the outside interface of the ASA. The traffic will be for the ASA itself. The ASA is inside the edge router as there's no way to terminate ADSL to the ASA hence we put the router at the edge. I am running Anyconnect on the ASA and so need it to receive traffic to the 210.0.0.50 IP address although it has 10.0.0.1 as it's IP address. I can make it no clearer than that. I've tried doing the NAT config on the router:

IP NAT INSIDE SOURCE STATIC 10.0.0.1 255.255.255.255 210.0.0.50

but still no joy.

Hi Afrederick123,

Spooster IT Services — Wed, 10 May 2017 15:39:37 GMT

Hi Afrederick123,

You need to NAT on router and statement should be the following

ip nat inside source static 10.0.0.1 210.0.0.50 extendable

interface <ISP facing interface>

ip nat ouside

interface <ASA facing interface>

ip nat inside

That makes sense. Looks like

Ajay Saini — Wed, 10 May 2017 15:41:43 GMT

That makes sense. Looks like you are intending to use something like a secondary ip address on ASA but unfortunately that is not supported per my understanding.

Others might have some workaround for you.

-AJ

Hey Team Spooster,

Afrederick123 — Wed, 10 May 2017 16:10:22 GMT

Hey Team Spooster,

That done it thanks, looks like I was just a bit out on my router command. Can you explain what the extendable part does please.

Hi Afrederick123,

Spooster IT Services — Wed, 10 May 2017 16:55:09 GMT

Hi Afrederick123,

"extendable" keyword at the end of each NAT command will allow you to have two NAT entries for the same source IP address. Otherwise IOS will not allow that.