topic Re: NAT Internet IP to private IP in Network Security

NAT Internet IP to private IP

Difan Zhao — Tue, 12 Mar 2019 01:18:42 GMT

Hi experts,

I have a server with IP address 10.10.10.10/24. I have two ISPs and their public IP address subnets are 1.1.1.0/25 and 2.2.2.0/25. The gateways are ASA 8.0 and ASA 8.4.

I am getting rid of the 1.1.1.0/25 ISP. However I will need the Internet users to be able to access the server via both ISPs at the same time. The only way I can think of is to do policy based dynamic PAT so the Internet user IPs will be translated into an internal IP. Please have a look at my diagram and let me know if my config looks right to you.

Idealy, users connecting on 1.1.1.10 will be PAT to 10.1.1.10 and users connecting to 2.2.2.10 will be PAT to 10.2.2.10. When the server responds to them, it will then route to the correct ASA...

----- ASA8.0 -----

static (inside,outside) 1.1.1.10 10.10.10.10 netmask 255.255.255.255

access-list ACL_NAT permit ip any host 10.10.10.10 (or 1.1.1.10??)

nat (outside) 2 access-list ACL_NAT

global (inside) 2 10.1.1.10

----- ASA8.4 -----

object network server

host 10.10.10.10

nat (inside,outside) static 2.2.2.10

object network obj-10.2.2.10

host 10.2.2.10

object network obj-2.2.2.10

host 2.2.2.10

nat (outside,inside) source dynamic any obj-10.2.2.10 destination static obj-2.2.2.10 obj-10.2.2.10

Thanks!!

Re: NAT Internet IP to private IP

malshbou — Sat, 23 Mar 2013 20:28:15 GMT

Hi Difan,

The configuration seems good except the last NAT statement:

>> nat (outside,inside) source dynamic any obj-10.2.2.10 destination static obj-2.2.2.10 obj-10.2.2.10

the correct statement is :

nat (outside,inside) source dynamic any obj-10.2.2.10

or you can make the outside NAT conditional to the server only:

nat (outside,inside) source dynamic any obj-10.2.2.10 destiantion server server

because when executing this NAT statement, the destination IP will be the private IP of the server (10.10.10.10)

Hope this helps

Mashal

Re: NAT Internet IP to private IP

kyky.reuangrith — Sat, 23 Mar 2013 20:41:39 GMT

Thank you Mashal! I am in a rush to get it to work so I also opened a tac case but haven't got a call back yet...

It still doesn't work... I tried both mine and yours. Right now it doesn't translate either source nor destination IP address... I am lack of ways to test so I can only do capture on the inside interface. The packets I see are with the real internet IPs of both source and destination... Help please

Thanks,

Difan

Re: NAT Internet IP to private IP

Difan Zhao — Sat, 23 Mar 2013 20:43:32 GMT

oops... sorry I used my customer's account to reply... Same person lol

Re: NAT Internet IP to private IP

malshbou — Sat, 23 Mar 2013 21:01:38 GMT

Hi,

the best thing to help in such cases is the packet-tracer command to simulate real traffic.

packet-tracer input outside icmp 4.2.2.2 8 0 1.1.1.10

packet-tracer input outside icmp 4.2.2.2 8 0 2.2.2.10

please share the output of the previous commands, also please check with "outside" keyword after nat (outside) 2 access-list ACL_NAT.

i guess ACL_NAT should have the private IP as destination since UNNAT phase comes before source NAT, so the destination IP will be the private one by then. However, the packet-tracer should show the actual flow and phases that occur.

Hope this helps

Mashal

Re: NAT Internet IP to private IP

Difan Zhao — Sat, 23 Mar 2013 21:13:20 GMT

Clearly in my example I was not using the real IP addresses... The output below shows the real addresses and names that I use in the config.

Here is my real config.

object network Prod-226

host 10.26.231.226

object network Prod-226-NAT-Outside

host 209.153.235.226

object network Prod-226-NAT-Inside

host 10.26.1.226

nat (outside,inside) source dynamic any Prod-226-NAT-Inside destination static Prod-226 Prod-226

Here is the packet-tracer output

fw-cg-01# packet-tracer input outside icmp 4.2.2.2 8 0 209.153.235.226

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network Prod-226

nat (inside,outside) static 209.153.235.226

Additional Information:

NAT divert to egress interface inside

Untranslate 209.153.235.226/0 to 10.26.231.226/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Looks like it is some sort of ACL problem... Do I need an ACL on my inside interface??

Thanks!

Re: NAT Internet IP to private IP

malshbou — Sat, 23 Mar 2013 21:26:19 GMT

if the traffic originates from a low security level to a higher security level, then you need an ACL that permits this traffic applied at the low secuity level interface.

in 8.3 and later versions, you need to use the destination IP as the real IP (private).

Mashal

Re: NAT Internet IP to private IP

Difan Zhao — Sat, 23 Mar 2013 21:50:24 GMT

You got it... Actually what happened is that I removed my old ACL since I realized that I should use the real IP instead of the mapped ones... However I forgot to put the access-group back on... Now it is working fine now. Thanks!