topic Re: Static NAT through ASA in Network Security

Static NAT through ASA

KeithN123 — Fri, 21 Feb 2020 11:55:24 GMT

I have configured a static NAT through my ASA, which for some

reason does not work - I believe the problem is with the NAT or

der rather than the rule itself but I would be most grateful if someone

could assist me in diagnosing the problem.

from command line the rule is ::-

static (UKSCMGMT,management) 10.20.20.20 192.168.1.2 netmask 255.255.255.255

my theory is that anything with a destination address of 10.20.20.20 would be seen as 192.168.1.2 on teh UKSCMGMT interface.

looking at ASDM the rule looks like this

Type Source Destination interface trans address

Static 192.168.1.2 blank management 10.20.20.20

there are some EXEMPT rules relating to 192.168.1.2 - but they are host to host and should not affect the static translation.

Re: Static NAT through ASA

Jennifer Halim — Thu, 08 Apr 2010 10:42:41 GMT

Please share the following configuration:

sh run interface --> would like to see the security level

sh run static --> depending on the security level above, need to check the current static statement

sh run nat --> also need to check if the NAT exemption overlaps.

Re: Static NAT through ASA

KeithN123 — Thu, 08 Apr 2010 12:09:12 GMT

both interfaces have a security level of 100

the show run static command gives the following =

static (UKSCMGMT,management) LS-NAT-P-NAG02 ls-mpd-p-nag02 netmask 255.255.255.255

I have now removed all the Exempt statements and ticked the "Enable traffic through the firewall without translation" box

attached is a packet trace of the rule

Thanks you for taking the time to look at this problem.

Re: Static NAT through ASA

Jennifer Halim — Thu, 08 Apr 2010 12:12:07 GMT

If they are the same security level, you would need to add the following:

same-security-traffic permit inter-interface

Re: Static NAT through ASA

KeithN123 — Thu, 08 Apr 2010 12:34:07 GMT

I have already apllied this command - but I still see the same error ?

thanks

Re: Static NAT through ASA

Jennifer Halim — Fri, 09 Apr 2010 05:33:32 GMT

Is your goal to perform NAT for communication between the 2 networks that has the same security level? Also, if you don't mind posting your config that would help. Thanks.

Re: Static NAT through ASA

KeithN123 — Mon, 19 Apr 2010 09:35:32 GMT

Hi - I am unable to post the configuration - but would you be able to clarify the use of the checkbox

"Enable traffice throught the firewall without address translation" -

If I check this box. Does that mean I no longer need to specifiy any network exemption

, and only configure the real NATted addresses? Can I safely configure "no nat-control" and remove all EXEMPT configuration ?

many thanks

Keith

Re: Static NAT through ASA

Jennifer Halim — Mon, 19 Apr 2010 10:13:30 GMT

The "no nat-control" will only work if you have no NAT statement at all configured (including the dynamic NAT). As soon as you have 1 NAT statement, the "no nat-control" will not take effect anymore, and you will still need to configure NAT exemption.

Re: Static NAT through ASA

KeithN123 — Mon, 19 Apr 2010 11:40:52 GMT

many thanks fior the reply.

So that means that even though I have only

a few NAT statements (probably 15 or 20) I will have to configure every single

EXEMPT host or network that exists - of which there are hundreds ?

I have already configured the firewall this way but I was looking for way to tidy up the enormous amount of exempt rules.

regards

Keith

Re: Static NAT through ASA

Jennifer Halim — Mon, 19 Apr 2010 11:48:36 GMT

Yes, absolutely correct. You can configure NAT exemption per network instead of per each host. If you have hosts which can be grouped into a subnet, configure it as network statements instead.

Re: Static NAT through ASA

KeithN123 — Mon, 19 Apr 2010 12:32:32 GMT

Many thanks for your patience and assistance with this problem.

I have already configured network objects where possible but unfortunately some are hosts.

regards

Keith