https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951267#M150475 <P>Hi,</P> <P>I have a network existing like this:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/drawing1_31.jpg" class="migrated-markup-image" /></P> <P></P> <P>Now, I have a domain name called "reg.mydomain.com" and will be resolved to 139.254.10.84.</P> <P>I need that domain name pointing to Captive Portal Server (10.241.2.11:38080), so when I access reg.mydomain.com:38080, it will show up the web page from 10.241.2.11:38080.</P> <P>I did the static NAT from Cisco ASA:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/capture_94.jpg" class="migrated-markup-image" />&nbsp;<IMG src="https://community.cisco.com/legacyfs/online/media/capture_95.jpg" class="migrated-markup-image" /></P> <P></P> <P>With the configuration of Static NAT, I can access the 139.255.10.84:38080 which will be translated to 10.241.2.11:38080 from other internet access (with different IP Public of 139.255.10.80/29).</P> <P>But when I tried to access 139.255.10.84:38080 from the user inside firewall (10.241.2.10, which will be NAT PAT to 139.255.10.83 when access to internet), it always timed out. What is configuration that I missing in the Cisco ASA?</P> <P></P> <P>Thank you for your help.</P> <P></P> <P>Regards,</P> <P>Arie</P> Tue, 12 Mar 2019 08:11:07 GMT Arie -- 2019-03-12T08:11:07Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951267#M150475 <P>Hi,</P> <P>I have a network existing like this:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/drawing1_31.jpg" class="migrated-markup-image" /></P> <P></P> <P>Now, I have a domain name called "reg.mydomain.com" and will be resolved to 139.254.10.84.</P> <P>I need that domain name pointing to Captive Portal Server (10.241.2.11:38080), so when I access reg.mydomain.com:38080, it will show up the web page from 10.241.2.11:38080.</P> <P>I did the static NAT from Cisco ASA:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/capture_94.jpg" class="migrated-markup-image" />&nbsp;<IMG src="https://community.cisco.com/legacyfs/online/media/capture_95.jpg" class="migrated-markup-image" /></P> <P></P> <P>With the configuration of Static NAT, I can access the 139.255.10.84:38080 which will be translated to 10.241.2.11:38080 from other internet access (with different IP Public of 139.255.10.80/29).</P> <P>But when I tried to access 139.255.10.84:38080 from the user inside firewall (10.241.2.10, which will be NAT PAT to 139.255.10.83 when access to internet), it always timed out. What is configuration that I missing in the Cisco ASA?</P> <P></P> <P>Thank you for your help.</P> <P></P> <P>Regards,</P> <P>Arie</P> Tue, 12 Mar 2019 08:11:07 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951267#M150475 Arie -- 2019-03-12T08:11:07Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951268#M150476 <P>hi,</P> <P>DNS is UDP port 53.</P> <P>could you change the protocol to UDP instead?</P> Thu, 25 Aug 2016 07:20:21 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951268#M150476 johnlloyd_13 2016-08-25T07:20:21Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951269#M150477 <P>Hi,</P> <P>Thanks for your reply. But, if I'm not using DNS, when I access 139.255.10.84:38080 from inside host (10.241.2.10), it's also not working.</P> <P>If I access&nbsp;<SPAN>139.255.10.84:38080 from other IP public or other outside host, then it's working.</SPAN></P> <P>Do you have any idea how to solve it first?</P> <P>Thank you</P> Thu, 25 Aug 2016 10:29:58 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951269#M150477 Arie -- 2016-08-25T10:29:58Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951270#M150478 <P>Hello Arie,</P> <P></P> <P>There is a couple of things you can do and some of them depend on the version and what you want to achieve. You can configure dns inspection so that the ASA would change the dns reply so that when the end host resolves the URL he gets the real (private) IP of the server.</P> <P>Also you can configure the ASA to do a twice NAT which would basically make the ASA change the destinations from 139.254.10.84 ----&gt; 10.241.2.11 but the configuations for this would depend on the version you are currently running.</P> <P></P> <P>Care to tell us what is the version?</P> <P></P> <P>Regards,</P> <DIV id="profile-userpic" class="span2"></DIV> <DIV id="profile-user-header"> <DIV id="profile-user-membership"> <H1 class="fullname"></H1> </DIV> </DIV> Thu, 25 Aug 2016 20:09:16 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951270#M150478 ccorreap 2016-08-25T20:09:16Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951271#M150479 <P>Hi,</P> <P>The ASA Version is 9.4(2)11.</P> <P>About twice NAT, so the first NAT is 10.241.2.11 ---&gt; 139.254.10.84 and then the second NAT is from 139.254.10.84 ---&gt; 10.241.2.11, is this correct?</P> <P>If I do a twice NAT, what configuration do I need to do?</P> <P></P> <P>Thank you</P> <P>Arie</P> Fri, 26 Aug 2016 01:41:25 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951271#M150479 Arie -- 2016-08-26T01:41:25Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951272#M150480 <P>Hello Arie,</P> <P></P> <P>A twice NAT, basically speaking would change both the source AND destination of the packet for example:</P> <P></P> <P>Original Pkt: Src:10.241.2.2 // Dst:139.254.10.84</P> <P>NATed Pkt:&nbsp;&nbsp; Src: ASA "inside interface IP" // Dst: 10.241.2.11</P> <P>The source change is necessary as this type of scenarios generally cause asymmetric routing.</P> <P></P> <P>In this case and if I understand correctly both the Client and the server would be located behind the inside interface; so the command "same-security-traffic permit intrainterface" is required as the traffic would be coming in and out the same interface.</P> <P></P> <P>Hence the NAT would look something like this:</P> <P>object network obj-10.241.2.0_24</P> <P>subnet 10.241.2.0 255.255.255.0</P> <P>!</P> <P>object network obj-10.241.2.11</P> <P>host 10.241.2.11</P> <P>!</P> <P>object network obj-139.254.10.84</P> <P>host 139.254.10.84</P> <P>!</P> <P>Nat (inside,inside) source dynamic obj-10.241.2.0_24 interface destination obj-139.254.10.84 obj-10.241.2.11</P> <P>!</P> <P>same-security-traffic permit intrainterface</P> Mon, 29 Aug 2016 16:58:22 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951272#M150480 ccorreap 2016-08-29T16:58:22Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951273#M150481 <P>Hi <A href="https://supportforums.cisco.com/users/ccorreap" title="View user profile." class="username" lang="" about="/users/ccorreap" typeof="sioc:UserAccount" property="foaf:name" datatype="">ccorreap</A>,</P> <P>It's work! Thank you very much for your guidance.</P> <P></P> <P>Regards,</P> <P>Arie</P> Wed, 31 Aug 2016 03:09:07 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951273#M150481 Arie -- 2016-08-31T03:09:07Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951274#M150482 <P>Hi,</P> <P>I have implemented that configuration this morning and the afternoon I found out that the CPU utilization of ASA increase till 97%. Does that twice-NAT consume high CPU resource?</P> <P>I have removed the configuration to see the CPU utilization and I found out the CPU utilization about 27%.</P> <P>Thank you</P> <P>Arie</P> Wed, 31 Aug 2016 09:05:15 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951274#M150482 Arie -- 2016-08-31T09:05:15Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951275#M150483 <P>Hi Arie,</P> <P></P> <P>Are you currently having the high CPU with the config in place? U turning can cause high CPU, but that would depend on what type of inspections is the ASA doing.</P> <P></P> <P>Let me know,</P> <P>Carlos</P> Wed, 31 Aug 2016 21:16:52 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951275#M150483 ccorreap 2016-08-31T21:16:52Z https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951276#M150484 <P>Hi,</P> <P>Yes, I'm having the high CPU with the config in place. When I delete the config, it becomes normal.</P> <P>I use the default inspection in the ASA:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/inspection1.jpg" class="migrated-markup-image" /></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/inspection2.jpg" class="migrated-markup-image" /></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/inspection3.jpg" class="migrated-markup-image" /></P> <P>Thank you</P> Thu, 01 Sep 2016 02:39:41 GMT https://community.cisco.com/t5/network-security/network-address-translation-on-asa/m-p/2951276#M150484 Arie -- 2016-09-01T02:39:41Z