topic Re: global nat in Network Security

global nat

mickyq — Tue, 12 Mar 2019 02:25:39 GMT

Im using a 5505 asa ver 8.2 between two private networks.

I want to translate all outbound traffic to the outside interface address (pat) which seems fine using:

interface Vlan1

nameif inside

security-level 100

ip address 10.100.70.12 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 172.31.113.6 255.255.255.252

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Inbound traffic has a destination of the outside address of the asa.

I then want to translate all inbound traffic targeting the 172.31.113 6 address so it is directed to a single ip address which is a sip router, 10.100.70.1

so I used;

static (inside,outside) 172.31.113.6 10.100.70.1 netmask 255.255.255.255

The inbound translation does not seem to work.

Is this the right config for the inbound translation?

Re: global nat

Jouni Forss — Wed, 14 Aug 2013 12:41:46 GMT

Hi,

If you configure a Static NAT using the "outside" interfaces IP address it should override the Dynamic PAT to my understanding. The one configured with the "global".

Is there a reason that you need to use the same NAT IP address?

If you need to forward some ports using the same IP address then you would have to use Static PAT

static (inside,outside) tcp interface 10.100.70.1 netmask 255.255.255.255

static (inside,outside) udp interface 10.100.70.1 netmask 255.255.255.255

Naturally you will also need the ACL rules to allow this traffic from "outside" to "inside"

- Jouni

Re: global nat

mickyq — Wed, 14 Aug 2013 13:38:42 GMT

Thanks for the reply Jouni

Subnet A = 10.100.70.0 /24 (my internal nework)

Subnet B = 172.31.113.4 /30 (third party network)

Subnet C = ? (third party network I cant see)

Subnet B connecting the asa outside interface to the other private network has a 30 bit mask so only 2 usable ip addresses. 172.31.113.6 on the outside of the firewall and 172.31.113.5 on the connecting device.

What I need to do is translate outbound traffic from subnet A so it is routable across subnet B to subnet C and visa versa.

I think any easy solution would be to increase subnet B so I have an additional routable ip address. I could then use this address as you suggest above.

static (inside,outside) 172.31.113.7 10.100.70.1 netmask 255.255.255.255

What I want to achieve is any inbound traffic from subnet C is translated to the sip gateway address 10.100.70.1 and any outbound traffic which will come from the sip gateway be translated so its routable back to subnet C

Thanks

-Mick

Re: global nat

Jouni Forss — Wed, 14 Aug 2013 13:49:52 GMT

Hi,

The above examples of Static PAT basically do so that hosts from Subnet C can connect to the interface IP address of Subnet B (172.31.113.6) with the ports used in the configurations.

So you just need to use the "static" commands with the TCP/UDP ports defined and the SIP gateway would be reachable with the IP address 172.31.113.6 on the specified ports from the Subnet C.

So lets take example port TCP/5060 for example and presume Subnet C is 10.10.10.0/24

static (inside,outside) tcp interface 5060 10.100.71.1 5060 netmask 255.255.255.255

The real/mapped address/port would be

10.100.71.1/5060 -> 172.31.113.6/5060 <--> 10.10.10.0/24 <- 10.10.10.0/24

Subnet C would be able to connect using destination IP address 172.31.113.6 on these ports

SIP gateway would use Dynamic PAT IP 172.31.113.6 towards Subnet C hosts when the SIP gateway initiates/opens the connection.

- Jouni

Re: global nat

mickyq — Wed, 14 Aug 2013 13:56:19 GMT

Thanks again Jouni

I understand what you mean now. Ill give this a go and let you know how i get on.

thanks