topic Re: Source nat from inbound traffic in Network Security

Source nat from inbound traffic

Gustavo Villegas — Tue, 12 Mar 2019 00:00:28 GMT

Hi there ... I need some help figuring out how to do nat of the source of inbound traffic

Here's the idea

I've a WWW server published to internet (with is NAT set to be accessible with a public IP). This ASA is not the default gateway of the www server, as there are other ASA and links in the network

So, what I need is that any traffic getting inbound to the WWW server gets out through the ASA ... I'd like to NAT the public IP of the client accessing the www server to the inside interface (ideally) or any other internal IP that ASA will respond ARP request, so www sends the traffic through this ASA

I've tried different options of natting, but no luck

any help appreciated

www (10.11.0.31) ------------- (10.11.0.3) ASA internal ---- ASA outside (1.1.1.5) ------------ users (any)

nat for www

object network host-10.11.0.31

host 10.11.0.31

nat(internal,ouside) static 1.1.1.10

Re: Source nat from inbound traffic

Luis Silva Benavides — Thu, 27 Sep 2012 22:21:32 GMT

Hi Gustavo,

Instead of using an object NAT you need a Manual NAT (Twice NAT); this this will give you the opportunity to NAT the source and destination of the packet.

object-network host-10.11.0.31_1

host 10.11.0.31

object-network host-1.1.1.10

host 1.1.1.10

nat (outside,inside) source dynamic any interface destination static host-1.1.1.10 host-10.11.0.31_1

This will do the trick!

Thanks

Luis

Re: Source nat from inbound traffic

Luis Silva Benavides — Thu, 27 Sep 2012 22:25:20 GMT

Basically what we are telling the ASA here is that when it receives a packets going to 1.1.1.10 translate the source of the traffic to the inside interface of the ASA (something well known for the server).

I hope it helps

Luis

Re: Source nat from inbound traffic

Gustavo Villegas — Tue, 02 Oct 2012 20:51:08 GMT

Hi Luis ... thanks for your reply, Accept my apologies for not getting back to you earlier

I was able to test this today, and effectively, your advice did the trick

Thanks a lot ... I guess I still need to learn quite a bit about new NAT settings

Cheers!

Hi Luis!

om2010 — Sun, 09 Oct 2016 04:31:21 GMT

Hi Luis!

I have a similar issue, with a different twist. On ASA 9.5.

HostA@192.168.224.4:22 -- (internal-network) -- (inside 192.168.232.4) ASA (192.168.235.4 outside) 192.168.235.4:2022 ----- Internet

I need packets sourced from internet TO 192.168.235.4:2022 (outside of ASA) to be port mapped to 192.168.224.22. That's done with this :

object network obj_192.168.224.6
 nat (inside,outside) static interface service tcp ssh 2022

Now, the interesting part is that I ALSO need traffic from the internet to be SOURCE NATted to the inside interface of the ASA (192.168.232.4). I've tried :

nat (outside,inside) source dynamic interface ! with no luck...

Also tried your suggestion, it seemed to have worked when doing packet-tracer BUT actual traffic does not log counters against "sh nat". Any idea what I might not be doing right?

In my case, your suggested ended up being :

object network host_192.168.224.6
 host 192.168.224.6
nat (outside,inside) source dynamic any interface destination static host_192.168.224.6 host_192.168.224.6

Hi Olivier,

Luis Silva Benavides — Sun, 09 Oct 2016 05:14:47 GMT

Hi Olivier,

Do you see the packets arriving to the outside interface if you place a capture? Could you please add the trace keyword when you create the packet capture?

Then when you see the first packet(syn) run the command

Show cap <nameofcapture> packet-number 1 trace

If you could post this output with the output of a regular packet tracer will be great. You can also email it directly to me (luissilv@cisco.com)

Luis

Fixed with

om2010 — Mon, 10 Oct 2016 03:50:11 GMT

Fixed with

nat (outside,inside) source dynamic any interface destination static interface host_192.168.224.6

works!