topic NAT server access through a public IP in Network Security

NAT server access through a public IP

Carlos Yahir Ramirez Huerta — Tue, 12 Mar 2019 02:45:45 GMT

Hi, I have a ASA 5550 with a ios version 9. This ASA has a public ip to give access to the inside users (NAT overload) and it has an other public ip to do a static nat to connect the outside users with a server inside of the network (http).

All works great but now, I need to achieve that if I am in the inside segment, I can access to the server but with the public ip.

for example.

I am connected in the inside network, I have a 192.168.115.80 and the server has the 192.168.115.33, If I browse the server with the 192.168.115.33, I get access to the server.

But now, instead of browse with the private ip (192.168.115.33) I want to browse with the public ip that I use to permit public user to get access.

are there any feature to do this?

Thanks!!!!

NAT server access through a public IP

Jouni Forss — Tue, 01 Oct 2013 18:45:30 GMT

Hi,

It requires you to configure a bit unusual NAT configuration and you will also have to confirm that you have a certain setting enabled.

So first you will have to confirm that you have the configuration "same-security-traffic permit intra-interface". You can show the settings with "show run same-security-traffic" command for example. This command/setting will allow the ASA to have a connection incoming and leaving through the same interface. In this case that interface would seem to be "inside".

The actual NAT configuration will be between the "inside" and "inside" interface. It will both translate the source address of the user to the "inside" interface IP address (server will see connection coming from the ASA interface IP address rather than the host directly. This is important for traffic to flow correctly with regards to the ASA) and also do the Static NAT required by the server.

Here is a NAT configuration that should work for your situation

object network SERVER-PUBLIC

host 1.1.1.1

object network SERVER-LOCAL

host 192.168.115.33

object network LAN

subnet 192.168.115.0 255.255.255.0

nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

NAT server access through a public IP

Carlos Yahir Ramirez Huerta — Tue, 01 Oct 2013 21:08:44 GMT

Hi JouniForss thanks for your help.

I applied the comands like you said, but I can not connect yet.

I have the "same-security-traffic permit intra-interface" command and these are my nat and objects:

object network www

host 192.168.115.32

object network ip_publica_servicios

host 187.157.145.182

object network 115

subnet 192.168.115.0 255.255.255.0

object-group network Internet

description Vlans permitidas a internet

network-object 192.168.111.0 255.255.255.0

network-object 192.168.112.0 255.255.255.0

network-object 192.168.115.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

nat (inside,outside) source dynamic Internet interface

nat (inside,outside) source static any any destination static usuarios_vpn usuarios_vpn no-proxy-arp route-lookup

nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www

object network www

nat (inside,outside) static ip_publica_servicios service tcp www www

Do you think that the other nat can cause the problem?

NAT server access through a public IP

Jouni Forss — Tue, 01 Oct 2013 21:16:34 GMT

Hi,

The problem is with the order of the NAT configurations.

You have 2 options to make this work

Remove the command you just added and add it with a line number so its at the top of the NAT rules
Remvoe your Dynamic PAT rule for all users and enter it in a new format so it doesnt cause problem for the NAT configuration I suggested. This option will naturally cause a small outage to Internet users behind the ASA while the first option doesnt cause this.

I would rather use the second option though you might want to use the first if you dont want to cause any problems for Internet users (even though its a small outage in the connections)

First option can be done in the following way

no nat (inside,inside) source dynamic 115 interface destination static ip_publica_servicios www

nat (inside,inside) 1 source dynamic 115 interface destination static ip_publica_servicios www

The second option which I prefer would be done in this way

no nat (inside,outside) source dynamic Internet interface

nat (inside,outside) after-auto source dynamic Internet interface

The reason why I prefer removing the Dynamic PAT for Internet users and changing its configuration format is because at its current form its overriding all other NAT configurations because its configured as the higher priority NAT configuration which it really shouldnt be. By adding the "after-auto" the Dynamic PAT will still work for all the LAN users but wont interfere with the other NAT configurations like its doing now

Hope this clarifies the situation

- Jouni