topic NAT- Change Source and Destination Address in Network Security

NAT- Change Source and Destination Address

Thiago Cella — Tue, 12 Mar 2019 01:24:43 GMT

Hi Firends,

I have the follow scenario:

The server 2.2.2.4 have to access the remote server 4.4.4.4, but follow the situation:

- The source server (2.2.2.4) , only know the remote server (4.4.4.4) with address 3.3.3.4, so when the packet enter the interface inside of ASA, the NAT change the 3.3.3.4 to real address (4.4.4.4);

- The remote server (4.4.4.4), only know address 172.31.0.1 (outside interface of ASA), so the source will be change to 172.31.0.1

How can i change the source to 172.31.0.1 and destination to 3.3.3.4 ?

Obs: ASA has the version 8.2(5) .

Follow Topology:

NAT- Change Source and Destination Address

Jouni Forss — Sun, 07 Apr 2013 01:43:23 GMT

Hi,

Are you labing some setup or is there an actual production environment requirering this type of NAT translations?

I think in general the configuration format would be

object network SOURCE-REAL

host 2.2.2.4

object network DESTINATION-REAL

host 4.4.4.4

object network DESTINATION-MAPPED

host 3.3.3.3

nat (inside,outside) source static SOURCE-REAL interface destination static DESTINATION-MAPPED DESTINATION-REAL

The one obvious effect this would have on the ASA operation is that the host 4.4.4.4 wouldnt be able to make any connections to the actual ASA itself. Manage it by ASDM or SSH and such things since its traffic to the interface would now be forwarded to the internal host as per the NAT rule created.

- Jouni

NAT- Change Source and Destination Address

Jouni Forss — Sun, 07 Apr 2013 01:43:56 GMT

Ah,

Just noticed that you had mentioned you only have ASA version 8.2(5)

- Jouni

NAT- Change Source and Destination Address

Jouni Forss — Sun, 07 Apr 2013 02:23:35 GMT

Hi,

Did a quick test on my 8.2(5) test ASA

I have to say though that I have never tried this or had the need to configure this in an actual production enviroment so I am not sure if it poses some risk/problems that I can think of right now.

I tested the following configuration on my test ASA

I replaced the interfaces names and IPs of my test configuration with your given information.

access-list IN-OUT-INTERFACE extended permit ip host 2.2.2.4 host 3.3.3.3

access-list OUT-IN-INTERFACE extended permit ip host 4.4.4.4 host 172.31.0.1

static (inside,outside) interface access-list IN-OUT-INTERFACE

static (outside,inside) 3.3.3.3 access-list OUT-IN-INTERFACE

- Jouni

NAT- Change Source and Destination Address

Thiago Cella — Sun, 07 Apr 2013 02:55:16 GMT

TKS JouniForss !!!!!

This config is to production enviroment , hehehe.

Doubts:

static (inside,outside) interface access-list IN-OUT-INTERFACE

- In this NAT , what address will be translate to interface address?

static (outside,inside) 3.3.3.3 access-list OUT-IN-INTERFACE

- I didnt understand, this nat, could explain?

Re: NAT- Change Source and Destination Address

Jouni Forss — Sun, 07 Apr 2013 03:43:38 GMT

Hi,

We have to make translation for both endpoints so thats why there is 2 NAT configurations.

access-list IN-OUT-INTERFACE extended permit ip host 2.2.2.4 host 3.3.3.3

static (inside,outside) interface access-list IN-OUT-INTERFACE

access-list OUT-IN-INTERFACE extended permit ip host 4.4.4.4 host 172.31.0.1

static (outside,inside) 3.3.3.3 access-list OUT-IN-INTERFACE

The other configuration will translate the "inside" host and the other will translate the "outside" host

As you can see the first configuration matches traffic from host 2.2.2.4 to host 3.3.3.3 and translates the source to "interface"

For the host 2.2.2.4 to be able to connect to host 3.3.3.3 we will therefore need to translate the host 4.4.4.4 into 3.3.3.3 when traffic is going towards the "interface"

Below is a simple picture of my setup with my base information

When I ping from host 10.10.10.10 to host 1.1.1.1

The following things will happen

Host 10.10.10.10 will be translated to interface IP address 192.168.103.2
Host 1.1.1.1 will be untranslated to IP address 192.168.103.1

Heres the debug from the ASA while the ICMP Echo and Echo Reply messages are going through the ASA

ICMP echo request from LAN:10.10.10.10 to WAN:1.1.1.1 ID=1 seq=1978 len=1272

ICMP echo request translating LAN:10.10.10.10 to WAN:192.168.103.2

ICMP echo request untranslating LAN:1.1.1.1 to WAN:192.168.103.1

ICMP echo reply from WAN:192.168.103.1 to LAN:192.168.103.2 ID=1 seq=1978 len=1472

ICMP echo reply translating WAN:192.168.103.1 to LAN:1.1.1.1

ICMP echo reply untranslating WAN:192.168.103.2 to LAN:10.10.10.10

As you can see, my above described situation is happening

Hope this was helpfull Please remember to rate / Mark the question as answered or ask more if needed

- Jouni

NAT- Change Source and Destination Address

Thiago Cella — Sun, 07 Apr 2013 20:28:02 GMT

Thank you very much , for your explanation!