topic NAT a local IP to a WAN IP in Network Security

NAT a local IP to a WAN IP

TECH-JEFF — Tue, 12 Mar 2019 07:26:31 GMT

I know this sounds simple for others, its just that I'm not a Cisco ASA user ever since. What do I use? by the way, I'm using the Cisco ASDM in configuring. Do I use?

Add Static NAT Rule, Dynamic NAT Rule, NAT Exempt Rule, NAT Policy Rule, Dynamic Policy NAT Rule?

The purpose of my natting is that if I perform NAT of a local IP to a WAN IP, I can do RDP using his WAN IP.

Thanks

Jeff

What version of code is

jj27 — Sat, 05 Mar 2016 07:58:41 GMT

What version of code is running on the ASA?

If 8.3 or later, this will accomplish what you need. Use the command line to edit.

object network outside-SERVER
host 1.2.3.4
object network inside-SERVER
host 10.1.1.1
nat (inside,outside) static outside-SERVER

Replace outside-SERVER with what you want the object to be named and replace inside-SERVER with what you want the object to be named.

Replace 1.2.3.4 with the WAN IP you want to use and 10.1.1.1 with the LAN IP you want to use.

Yes, actually that is what

TECH-JEFF — Sat, 05 Mar 2016 08:14:13 GMT

Yes, actually that is what differs. We have 2 Cisco ASA, one that I'm trying to configure is 8.2 which is different from the other Cisco ASA which has a version 9.1

I tried to imitate the setup via asdm but totally different method to setup. The one I'm having issues right now is the version 8.2

Actually, I just forgot to update ahead. I was already able to NAT'ed it via the local IP. My next problem now is that it doesn't passes thru the access rule I've created specifically for this IP.

Is there a way to trace which policy I'm currently running or following？

Thanks

Jeff

So you're saying the NAT to

jj27 — Sat, 05 Mar 2016 08:17:04 GMT

So you're saying the NAT to the public IP is working on 8.2 code, but access into the system is not working through your access list.

Send the output of the following. Please change any public IP addressing information or mask it out with x.x.x.x.

show run access-group
show run access-list
show run static
show run nat

Sorry for the confusion. I

TECH-JEFF — Sat, 05 Mar 2016 09:45:37 GMT

Sorry for the confusion. I didn't use the code you've provided which made the NAT successful, instead using ASDM, I was able to successfully NAT'ed it.

I'll try to send the output in a few minutes after this reply.

Thanks JJohnston

Have a great weekend.

Jeff

Ok, I think I saw the issue

TECH-JEFF — Mon, 07 Mar 2016 01:27:32 GMT

Ok, I think I saw the issue why access rules are not working. Sorry jjohnston, I might confuse you more because of the complicated setup in this office. To simplify, here's my case:

We have 2 ISP's, I'll name this as ISP1 and ISP2.

I saw a default route of 0.0.0.0 0.0.0.0 ISP1 metric 1(so this makes sense in our office browsing, etc)

I saw another default route of 0.0.0.0 0.0.0.0 ISP2 metric 5(so I assume this could be their previous backup ISP in case ISP1 goes down)

Here are the results for the following commands:

show run access-group

fw-01# show running-config access-group
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside-ISP2
access-group outside-etpi_access_in in interface outside-ISP1
access-group management_access_in in interface management
fw-01#

show run access-list

fw-01# show running-config access-list
access-list inside_access_in extended permit icmp any any inactive
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip host Test_bypass host ISP2
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any
access-list inside_mpc_1 extended permit ip any vlan0090 255.255.255.0
access-list global_mpc extended permit ip any any
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit icmp any any
access-list outside-etpi_access_in extended permit ip any host ISP1
access-list outside-etpi_access_in extended permit ip any any
access-list inside_nat_outbound extended permit ip any <another ISP not in local datacenter>x.x.x.x
access-list ra_vpn_access_in extended permit tcp any any eq ssh
access-list ra_vpn_access_in extended permit tcp any any eq https
access-list inside_mpc extended permit ip vlan0090 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any vlan0120 255.255.255.0
fw-01#

show running-config static

fw-01# show running-config static
static (inside,dmz) inside-network inside-network netmask 255.255.0.0
static (dmz,outside-ISP1) x.x.x.x <dmz ip> netmask 255.255.255.255
static (dmz,outside-ISP1) x.x.x.x <dmz ip> netmask 255.255.255.255
static (dmz,outside-ISP2) x.x.x.x <dmz ip> netmask 255.255.255.255
static (inside,outside-ISP1) x.x.x.x Test-Yee netmask 255.255.255.255
fw-01#

FYI: ignore the dmz for the moment. The Test-Yee is initial problem I had in doing NAT'ed IP and was successful

show run nat

fw-01# show running-config nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 2 0.0.0.0 0.0.0.0
fw-01#

These are all the results of the commands.

Thanks

Jeff

Ok, I think I saw the issue

TECH-JEFF — Mon, 07 Mar 2016 01:28:09 GMT

Ok, I think I saw the issue why access rules are not working. Sorry jjohnston, I might confuse you more because of the complicated setup in this office. To simplify, here's my case: We have 2 ISP's, I'll name this as ISP1 and ISP2. I saw a default route of 0.0.0.0 0.0.0.0 ISP1 metric 1(so this makes sense in our office browsing, etc) I saw another default route of 0.0.0.0 0.0.0.0 ISP2 metric 5(so I assume this could be their previous backup ISP in case ISP1 goes down) Here are the results for the following commands: show run access-group fw-01# show running-config access-group access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz access-group outside_access_in in interface outside-ISP2 access-group outside-etpi_access_in in interface outside-ISP1 access-group management_access_in in interface management fw-01# show run access-list fw-01# show running-config access-list access-list inside_access_in extended permit icmp any any inactive access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit ip host Test_bypass host ISP2 access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended permit icmp any any access-list inside_mpc_1 extended permit ip any vlan0090 255.255.255.0 access-list global_mpc extended permit ip any any access-list management_access_in extended permit ip any any access-list management_access_in extended permit icmp any any access-list outside-etpi_access_in extended permit ip any host ISP1 access-list outside-etpi_access_in extended permit ip any any access-list inside_nat_outbound extended permit ip any x.x.x.x access-list ra_vpn_access_in extended permit tcp any any eq ssh access-list ra_vpn_access_in extended permit tcp any any eq https access-list inside_mpc extended permit ip vlan0090 255.255.255.0 any access-list inside_nat0_outbound extended permit ip any vlan0120 255.255.255.0 fw-01# show running-config static fw-01# show running-config static static (inside,dmz) inside-network inside-network netmask 255.255.0.0 static (dmz,outside-ISP1) x.x.x.x netmask 255.255.255.255 static (dmz,outside-ISP1) x.x.x.x netmask 255.255.255.255 static (dmz,outside-ISP2) x.x.x.x netmask 255.255.255.255 static (inside,outside-ISP1) x.x.x.x Test-Yee netmask 255.255.255.255 fw-01# FYI: ignore the dmz for the moment. The Test-Yee is initial problem I had in doing NAT'ed IP and was successful show run nat fw-01# show running-config nat nat (inside) 0 access-list inside_nat0_outbound nat (inside) 2 access-list inside_nat_outbound nat (inside) 2 0.0.0.0 0.0.0.0 fw-01# These are all the results of the commands. Thanks Jeff