topic Cisco ASA NAT Problem in Network Security

Cisco ASA NAT Problem

Stuart Stevenson — Tue, 12 Mar 2019 04:37:26 GMT

Hi all,

In my scenario I have a remote server communicating with a private local server open to the world via static NAT.

Remote server: 1.1.1.1
ASA Outside: 2.2.2.2
ASA Inside: 192.168.1.254
Private Server: 192.168.1.100

I have configured static NAT to allow outside connections in to the private server. The private server is a linux host with a default gateway pointing to another device in the LAN on IP address 192.168.1.1.

So as to not add static routes on the linux host pointing towards the ASA for each destination the Private server will be replying to, I am looking to change the Remote servers IP address using NAT during the initial connection.

This would mean the packet has the following details before NAT:

Source IP: 1.1.1.1
Destination IP: 2.2.2.2

After NAT, the packets should have the following details:

Source IP: 192.168.1.254
Destination IP: 192.168.1.100

Rather than:

Source IP: 1.1.1.1
Destination IP: 192.168.1.100

Is this solution possbile on a Cisco ASA?

Many thanks.

Hi, It should be possible. At

Jouni Forss — Wed, 13 Aug 2014 05:45:47 GMT

Hi,

It should be possible. At the moment I am wondering what your ASA software level is though? This is a little simpler to handle in the new ASA softwares (8.3 and above) and the older ones (8.2 and below)

In the new software you would use the following configurations. In your case though I would probably use some free IP address from the subnet 192.168.1.0/24 for this NAT rather than the ASA interface.

object network SOURCE-REAL
host 192.168.1.100

object network SOURCE-MAPPED
host 2.2.2.2

object network DESTINATION-REAL
host 1.1.1.1

object network DESTINATION-MAPPED
host 192.168.1.253

nat (inside,outside) source static SOURCE-REAL SOURCE-MAPPED destination static DESTINATION-MAPPED DESTINATION-REAL

This "nat" configuration would do translation to both the source and destination IP address. Looking at the above NAT configuration we would see that traffic coming from DESTINATION-REAL towards SOURCE-MAPPED would have the effect that the SOURCE-MAPPED would get untranslated to SOURCE-REAL and DESTINATION-REAL would get translated to DESTINATION-MAPPED.

Naturally me using the terms SOURCE and DESTINATION in the "nat" configurations might create some confusion depending from which "direction" you are actually looking the situation from. You should naturally use different "object" names to make the configuration easier to read for you. That is if you are using the new software?

Hope this helps 🙂

- Jouni

Hi Jouni,Thanks for that.We

Stuart Stevenson — Wed, 13 Aug 2014 08:05:06 GMT

Hi Jouni,

Thanks for that.

We are currently using ASA 8.2.

I know we're talking about 8.3 here; however would this solution not require every possible destination to be added to the DESTINATION-REAL object? This wouldn't be a problem for us as we only have a small amount of possible DESTINATION-REALs (remote servers only accessible over site-to-site VPN).

I understand the best solution would be to simply change the default gateway on the internal server, just curious if this would be possible in an 8.2 environment without any changes to hosts.