topic NAT between two interfaces in Network Security

NAT between two interfaces

MaDe — Tue, 12 Mar 2019 00:44:23 GMT

Good day,

I would ask if it is possible to do NAT between two Interfaces on the same device?
The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.

This is my current NAT statement:

nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional

This is my PacketTracer output:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.0     255.255.255.0  mgmt

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip 172.20.200.0 255.255.255.0 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
Additional Information:
Static translate 172.20.200.1/0 to 192.168.3.222/0
Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 244039047, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: mgmt
output-status: up
output-line-status: up
Action: allow

So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.

Is there a way to get this working?
Many thanks for your feedback.
Brgds,

Markus

NAT between two interfaces

Jouni Forss — Tue, 08 Jan 2013 10:26:16 GMT

Hi,

To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.

In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface

I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)

- Jouni

NAT between two interfaces

danielciscoswart — Tue, 08 Jan 2013 13:14:55 GMT

You need to allow access to it. As you need to state.

ssh 192.168.3.0 255.255.255.0 mgnt <-- on what interface its not a nat problem just an managment access issue.

Regards

Daniel

NAT between two interfaces

Jouni Forss — Tue, 08 Jan 2013 13:33:14 GMT

Hi,

Tried to lab this on a test firewall and with the same type of configuration it didnt work for me atleast.

I mean connecting from a network behind one interface to another interfaces IP address for firewall management.

- Jouni

NAT between two interfaces

danielciscoswart — Tue, 08 Jan 2013 13:37:51 GMT

thats correct is you are on say the inside subnet then you would need to connect to the firewall on the interface facing the inside. If you want to connect to the managment interface you need to connect onto the managment subnetwork and then connect to the management facing interface.

You cant connect to the management interface from the inside network.

NAT between two interfaces

MaDe — Thu, 10 Jan 2013 12:58:54 GMT

Good day all,

thanks for your feedbacks. I setup a new transfer network and placed all management interfaces behind the transfer network into a new management network. Before I access the network I do NAT. So I can access the ASAs and other devices.

Thanks for help.
Brgds,

Markus