topic Source NAT Cisco ASA in Network Security

Source NAT Cisco ASA

Mokhalil82 — Tue, 12 Mar 2019 06:11:31 GMT

I am trying to understand the concept on source NAT (not sure if this is the same as Twice NAT).

So I have attached a sample topology. I am in the process of migrating from watchguard firewalls to cisco ASAs, and during the migration I have come across this issue I am trying to get my head around. Im pretty new to configuring firewalls.

So If external Host A is trying to access my internal Server A via ASA 2, the traffic comes in, but on return it will hit the default gateway on the core switch which points to ASA 1. I was told that I can configure Source NAT, to force that traffic to return via the same firewall which involves natting on the Inside and Outside interfaces.

Just wondering if anyone is able to shed some light on this or knows of a good link.

Thankyou

Hi,Looking into the topology,

Pulkit Saxena — Sat, 27 Jun 2015 20:12:01 GMT

Hi,

Looking into the topology, it seems that we need to get the return traffic go through ASA 2 directly.

For that we need to do source and destination NAT both.

First of all, to answer your question regarding source NAT and twice NAT.

Source NAT simply means to NAT the source IP. For instance, all inside users when go to internet gets translated to outside interface IP.

Twice NAT also called as manual NAT is a feature on code 8.3 and above where in a single NAT statement you can NAT the source and destination both.

In this scenario of your's, the statement's syntax should be like :

nat (outside,inside) source dynamic any interface destination static mapped-ip real-ip .

This will ensure that your return traffic goes to firewall 2.

Some ASA NAT translation links that will be helpful :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html

Thanks,

Pulkit Saxena

Hi Pulkit, thanks for the

Mokhalil82 — Sun, 28 Jun 2015 10:59:37 GMT

Hi Pulkit, thanks for the response.

I am using asa version 9.3 and currently on ASDM. So am I right in thinking I should configure NAT on both the source interface and destination interface?

What would be my translated source addresses for each. The translated destination I assume will stay the same

Thanks

Hi, There will be a single

Pulkit Saxena — Sun, 28 Jun 2015 11:06:29 GMT

Hi,

There will be a single NAT statement only.

Try going into CLI through ASDM, and apply the NAT statement that I have given above.

In this particular scenario, source will get translated to inside interface IP.

Destination will get translated from the mapped IP to the actual IP.

If you can provide me all actual IP addresses, I can help you with the NAT statement.

Regards,

Pulkit Saxena

Hi PulkitSo addresses are as

Mokhalil82 — Sun, 28 Jun 2015 11:26:46 GMT

Hi Pulkit

So addresses are as follows, example IPs of course

Inside Server 10.10.10.50

ASA2 Inside Int 10.10.10.1

ASA2 Outside Int 88.88.88.254

Outside Host 98.98.98.50

Thanks

Hi, I believe that from

Pulkit Saxena — Sun, 28 Jun 2015 13:37:56 GMT

Hi,

I believe that from outside anyone can connect to your server at 88.88.88.254.

So in that case, the NAT statement will be :

nat (outside,inside) source dynamic any interface destination static 88.88.88.254 10.10.10.50

Ensure that we have already allowed the required traffic through access rule in inbound direction.

This will certainly make it work.

Regards,

Pulkit Saxena

Thanks Pulkit

Mokhalil82 — Mon, 29 Jun 2015 10:23:02 GMT

Thanks Pulkit

Hi Pulkhit,I have got similar

qutub.siddiqui — Mon, 27 Jul 2015 04:44:28 GMT

Hi Pulkhit,

I have got similar kinda issue. But the difference is Real Source (x.x.x.x) and destinations (x.x.x.x) IP's are belong to Same Subnet and NAT already exist to translate destination's subnet IP's to other IP's (y.y.y.y) so they can talk to other networks.

Requirement :

Host 1.1.1.1 in Environment A needs to talk to node (1.1.1.20) in Environment B

Environment B inside interface of ASA (image using 9.13) already translating 1.1.1.20 to 3.3.3.20 using static nat entering from outside interface.

If you have any solution to it let me know.

Warm Regards,