topic Nat'ing Lan subnet in Network Security

Nat'ing Lan subnet

gtorresjr77 — Tue, 12 Mar 2019 03:00:16 GMT

I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)

code version is 821

name 2.2.2.2 External_IP

name 172.31.196.0 Local_xlated

I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IP

Re: Nat'ing Lan subnet

Jouni Forss — Mon, 04 Nov 2013 22:50:02 GMT

Hi,

Do you mean that your software level is 8.2(1)? You should see the mentioned information with the "show version" command.

If that is your software level then you would be using the older NAT configuration format and not the one you have mentioned in the post. The above configuration seems to be of the new format that came in the 8.3+ software versions.

You would essentially be configuring a Static Policy NAT with the help of "access-list" and "static" command.

For example this

access-list L2LVPN-POLICYNAT remark Static Policy NAT for L2L VPN

access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 host 2.2.2.2

static (inside,outside) 172.31.196.0 access-list L2LVPN-POLICYNAT

This should achieve what you are attempting.

In other words, when the source network is 192.168.1.0/24 and the destination for the connection is host 2.2.2.2 then translate the source network 192.168.1.0/24 to NAT network 172.31.196.0/24.

Since this is the older NAT configuration format there might be one thing you should consider. If any host on the "inside" network of 192.168.1.0/24 has a Static NAT configured to the "outside" then you might have to remove that Static NAT and re-enter if after you have added the above configuration.

The reason for the above suggestion is the fact that if you have an existing Static NAT for a host on 192.168.1.0/24 network towards "outside" then that Static NAT will keep overriding the Static Policy NAT. This is because the Static NAT is configured before the Static Policy NAT. Removing and re-entering the Static NAT would essentially enter it after the new Static Policy NAT and everything should be ok.

Hope this helps

Let us know if this works for you.

Feel free to ask more if needed.

- Jouni

Re: Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 00:10:56 GMT

So any static statements only with (inside,outside) should be removed and rentered?

if there's a static statement with (inside, backup), that doesn't need to be?

yes, i did mean 8.2(1).

Re: Nat'ing Lan subnet

Julio Carvajal — Tue, 05 Nov 2013 00:38:40 GMT

Hello,

If u are using dual Outside Interfaces, then you must assigned it to that backup interface in case the primary goes down!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Re: Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 01:41:20 GMT

I believe the remote end is only pointing to the primary IP though in the site to site. But I can add the backup NATing as well in case that is changed.

I believe the client did not want to pay for more memory in order to update the code, which is why it's still at that version.

Thanks

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 07:31:01 GMT

Hi,

If your L2L VPN are built only through the primary "outside" interface then you only need to configure the Static Policy NAT for the primary "outside" interface.

You dont necesarily have to do anything more than configure the above Static Policy NAT. Though you might find that hosts/servers with their own Static NAT to a public IP address might not be able to access the remote network because of that existing Static NAT. For those you would then have to make the change in the order of the NAT configurations.

Hope this helps

Please do remember to mark a reply as a correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Re: Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 14:00:18 GMT

ok thanks,

just to clarify, the NAT'ing will be both directions? The remote network will see the 192.168.1.0 network as

172.31.196.0?

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 14:04:00 GMT

Hi,

Yes, the the NAT rule is bidirectional as long as it matches the ACL.

Traffic from LAN 192.168.1.0/24 towards host 2.2.2.2 will be NATed to 172.31.196.0/24

Traffic from host 2.2.2.2 towards 172.31.196.0/24 will be UN-NATed to 192.168.1.0/24

Hope this helps

- Jouni

Re: Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 14:47:06 GMT

I received an error when i removed the static statements and reentered them. stating the local lan was already NAT'ed to the 172.31.196.0

I did as you said. entered, the access-list and static. removed the static statements and tried to re-add them. I reverted back.

I am going to see if we can update the code. Where do I find the memory requirements for asa913-k8? This asa currently has 256MB

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 14:50:56 GMT

Hi,

Yes, it will probably give you an error message.

Did you check if both "static" configurations were there after the removing and adding the normal Static NAT?

It should work since I have used it even in our own network.

When you have both of them configured you can use "packet-tracer" to confirm that the rule works as it should

packet-tracer input inside tcp 192.168.1.100 12345 2.2.2.2 80

packet-tracer input inside tcp 192.168.1.100 1.1.1.1 80

These should provide 2 different translations. You can share the output with us if you want us to chech through them. It should work.

- Jouni

Re: Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 15:19:13 GMT

I am trying to ping from asa and every result is ?????

i tried specifying the interface. I have the tunnel enabled through asdm but don't see it up in monitoring.

This ping issue was prior to any changes from what we are working on.

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 15:22:02 GMT

Hi,

I doubt the ASA will apply any translation to any traffic you generate from it.

The "packet-tracer" commands I provided should tell us exactly what translation is applied to the traffic.

To actually test the traffic you will have to use an actual host in the network 192.168.1.0/24

- Jouni

Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 15:34:22 GMT

ok, i was just wondering why i couldn't ping anything from asa like even an internal IP.

packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53

packet-tracer input inside tcp 192.168.1.6 53 173.220.117.20 53

is this a valid test?

there's a static nat for 1.6 inside,outside for 53 so this two statements should have different results correct? if this is a valid test, i'll perform and show you the results.

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 15:39:21 GMT

Hi,

If the IP address 173.220.117.20 is an IP address used in the Static Policy NAT ACL as the destination IP address then these should be the correct commands to simulate and test the NAT behaviour

- Jouni

Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 16:26:56 GMT

eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) MC_Local_xlated access-list L2LVPN-POLICYNAT

match ip inside 192.168.1.0 255.255.255.0 outside host External_IP

static translation to MC_Local_xlated

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (External_IP [Interface PAT])

translate_hits = 24686918, untranslate_hits = 1904674

Additional Information:

Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32668832, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

eluciasa(config)#

Nat'ing Lan subnet

gtorresjr77 — Tue, 05 Nov 2013 16:27:29 GMT

eluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 173.220.117.20$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in External_IP 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

eluciasa(config)#

Nat'ing Lan subnet

Jouni Forss — Tue, 05 Nov 2013 16:32:51 GMT

Hi,

Seems the "packet-tracer" that is supposed to hit the Static Policy NAT is targeting your actual interface IP address?

If we are talking about a Static Policy NAT for a L2L VPN connection then you would naturally need to be targetting any IP address that is at the remote end. That same target IP address (all of them) should also be mentioned in the Static Policy NAT configurations "access-list"

Seems that you are either targetting the wrong IP address or there has been some greater missunderstanding what you are trying to achieve.

We are trying to confirm that when traffic from your LAN 192.168.1.0/24 goes towards the remote host 2.2.2.2 behind L2L VPN connection then its source address will be translated to the NAT IP address from network 172.31.196.0/24

Seems the first "packet-tracer" matches your usualy Dynamic PAT configuration.

- Jouni