topic ASA 8.4 NAT subnets to 1 IP Address in Network Security

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Tue, 12 Mar 2019 00:45:33 GMT

Hello guys,
I'm wondering if this is possible on an ASA.
I know it is possible on a router (i think)

Currently have a Outside interface with public address:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.192 standby 10.1.1.2

I already have one to one NATing going on from inside to outside

e.g:
object network test
nat (inside,outside) static 10.1.1.3 dns

Proposal.

new interface:

int g1/1

nameif inside2

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

object network test2_range

range 172.16.1.3 172.16.1.254

object network test2_range

nat (inside2,outside) static 10.1.1.4 dns

will this work? i.e IP Address range from 172.16.1.3 - 254 will NAT to 10.1.1.4?
I want the subnet to share 1 IP Address. is this possible?
Thanks

ASA 8.4 NAT subnets to 1 IP Address

varrao — Fri, 11 Jan 2013 01:34:22 GMT

Hi,

The nat that you are trying to do is only one to one nat, and it cannot be one to many. You cannot use static command for it. If it is to be one to many then you would have to use dynamic keyword for it, which would be your port address translation.

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Fri, 11 Jan 2013 13:19:28 GMT

Hi Varun,

So in this example I would use:

object network test2_range

subnet 172.16.1.0 255.255.255.0

nat (inside2,outside) dynamic 10.1.1.4 dns

Thanks

ASA 8.4 NAT subnets to 1 IP Address

Jouni Forss — Fri, 11 Jan 2013 13:25:36 GMT

Hi,

I would suggest the following configuration format for Default PAT configurations

This will make them NAT rules that are matched for traffic as the very last ones which they usually should be.

The names and IPs/networks used below are just examples. Object/Object-group names are best configured with more descriptive names.

Using the "outside" interface for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Using a separate public IP address for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

object network PUBLIC

host x.x.x.x

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC

- Jouni

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Sun, 13 Jan 2013 12:34:03 GMT

Hi Jouni,
Thank you for your reply.

If I use your example no2 - Using seperate public IP address for PAT

the outcome would be any address in the /24 range will be PATted to the configured PUBLIC IP Address host?

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

object network PUBLIC

host 1.2.3.4

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC

e.g Outcome:
10.10.10.55 -> 1.2.3.4:525252
10.10.10.213-> 1.2.3.4:35865

Is this correct in understanding this?

Thanks

ASA 8.4 NAT subnets to 1 IP Address

Jouni Forss — Sun, 13 Jan 2013 12:41:28 GMT

Hi,

Yes, that is correct. All users in network 10.10.10.0/24 would be sharing the IP address configured under object PUBLIC as their PAT address towards Internet.

- Jouni

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Sun, 13 Jan 2013 12:44:19 GMT

Hi Jouni,

Awesome Thanks for your reply, I will let you know how the change goes later on!

Many Thanks!

ASA 8.4 NAT subnets to 1 IP Address

Kureli Sankar — Sun, 13 Jan 2013 15:20:11 GMT

JDMJeffy84,

I believe you would greatly benefit from my upcoming webcast. Details below. I will be disucssing the old and new NAT syntax.

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013

Troubleshooting ASA and Firewall Service Modules

-Kureli

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Mon, 14 Jan 2013 21:13:49 GMT

Worked all fine Jouni! But I have an issue and I have tried ways fixing this.

I have two inside LANs

192.168.50.x (VLAN 50) & 192.168.100.x (VLAN 100)

VLAN 50 has PAT 192.168.50.0/24 to 1.2.3.4

VLAN 100 has 1 to 1 NATS

They hit ASA and NAT on outside interface
int g0/0
nameif outside
security-level 0

ip add 1.2.3.0 255.255.255.0

My issue is I have a webserver sitting in VLAN 100 in DMZ (192.168.100.5 -> NAT 1.2.3.50)
Traffic from VLAN 50 will traverse internal to ASA and out the Internet and into OUTSIDE interface of the ASA.

At this bit the ASA sends travel back to VLAN 50 (used packet tracer and looked at syslog)

So if I understand how ASA process packets:
Client on VLAN 50 - 192.168.50.200 - http://1.2.3.50

This will go to ASA and PAT to Outside Interface - 192.168.50.200 -> 1.2.3.4:50501

Go internet and loop back to Outside interface

NAT back to 192.168.50.200

But I cannot access the webserver - Page timeout on web browser

I have tried putting rules on Outside interface but no luck

I know it's a wierd setup

Thanks

ASA 8.4 NAT subnets to 1 IP Address

Jouni Forss — Mon, 14 Jan 2013 21:27:17 GMT

Hi,

So if I understood you correctly

You now have a PAT for your other Vlan towards "outside"
You now have 1:1 Static NATs for servers from other Vlan towards "outside"
You want to access the Web server(s) from the other Vlan but arent succeeding in it

This is a pretty common problem people run into

Since your host attempting the Web server connection using the public/NAT IP address is behind the ASA, it CANT use the public IP address. You should use the local address of the Web server rather than the Public NAT IP address.

If this is not possible I guess you could try to do the 1:1 Static NAT also from the Web Server Vlan to the other Vlan and this way the Web server would also be visible to the other Vlan with the public IP address.

I can't guarantee this will work but can't think of anything else at the moment.

- Jouni

ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Mon, 14 Jan 2013 22:02:51 GMT

Yes that's correct Jouni. 1 Vlan is PAT and other VLAN is 1:1 static NAT.

And PAT vlan is required to access webserver in Static NAT vlan

I thought of doing that but they require using DNS name.

So are you saying NAT inside to inside? I've enabled access to same security levels but no luck

tricky one

Re: ASA 8.4 NAT subnets to 1 IP Address

Jouni Forss — Mon, 14 Jan 2013 22:16:51 GMT

Hi,

I mean you could try doing the 1:1 Static NAT of the Web server also between the 2 Vlans

Then you would have the Static NAT configured twice

Between server Vlan and outside
Between server Vlan and user Vlan (for lack of a better term)

This could possibly be done with a single Static NAT command by changing the destination interface of the NAT with "any"

For example

object network STATIC

host 10.10.10.10

nat (inside,any) static 1.2.3.4

The above should do a 1:1 Static NAT for the LAN host towards any other ASA interface. So in your towards "outside" and also the other Vlan.

But as I said I'm not sure if it will work. I haven't had to do similiar NATs that often.

- Jouni

Re: ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 — Mon, 14 Jan 2013 23:29:54 GMT

Hi,

I will give that a try.
Do you know what is the order of traffic flow?

is it Routing/ NAT/ ACL?

Thanks