topic Re: Conditional Nat on an ASA in Network Security

Conditional Nat on an ASA

bart.mollemans — Fri, 21 Feb 2020 09:50:38 GMT

A practical dillemma led me here:

A customer has several remote sites wich each have a pc that connects to a virtual IP in the HQ lan, which in term is natted to a real HQ server IP on the asa. Now the need has risen to nat a specific group of remote sites to a diferent real HQ server IP...

My current work-arround is a hardware loadbalancer, but imho there should be a nice/clean cisco (nat) alternative...no?

For a viasual clarification, please see my attached visio.

Many thanks for any hints or suggestions you might have,

Bart

Re: Conditional Nat on an ASA

Collin Clark — Thu, 27 Dec 2007 20:40:36 GMT

Bart-

Can the remote offices that need to point to the new server, point to a new NAT address or do they have to point to 4.4.4.3?

Re: Conditional Nat on an ASA

bart.mollemans — Fri, 28 Dec 2007 07:24:29 GMT

This was my first question too, but the devices at the remote sites are in fact a type of apliances that require (costly) 3rd party intervention if we need to change a system setting plus there are over 600 remote sites... so no ...

Re: Conditional Nat on an ASA

srue — Fri, 28 Dec 2007 15:23:33 GMT

create object groups to more easily manage which remote sites need the server nat'ed to which IP - then you can use the same object groups to configure your standard interface acl's.

In this example, 192.168.1.1 is the internal IP of the server. the 31.x.x.x addresses are the nat'ed IP's.

access-list nat1_acl permit ip host 192.168.1.1 object-group remote_sites_A

access-list nat2_acl permit ip host 192.168.1.1 object-group remote_sites_B

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.2 access-list nat2_acl

Re: Conditional Nat on an ASA

bart.mollemans — Fri, 28 Dec 2007 15:33:20 GMT

Thanx for the reply but this does not tackle the issue at hand.

I have 2 internal servers (a,b) who need to be reached on a virtual ip c.

If Ip address group X connecting to address c, the natting should lead them to internal server a. Addtionally when addres group y connects to address c the asa natting should lead them to internal server b...

Re: Conditional Nat on an ASA

srue — Fri, 28 Dec 2007 15:43:12 GMT

my bad.

how about:

access-list nat1_acl permit ip host 192.168.1.a object-group X

access-list nat2_acl permit ip host 192.168.1.b object-group Y

static (inside,outside) 31.1.1.1 access-list nat1_acl

static (inside,outside) 31.1.1.1 access-list nat2_acl

Re: Conditional Nat on an ASA

Collin Clark — Fri, 28 Dec 2007 18:37:51 GMT

Is there a gateway device at each remote office that could NAT?

Re: Conditional Nat on an ASA

bart.mollemans — Sat, 29 Dec 2007 01:56:58 GMT

Sir,

Indeed, that was my 3rd prefered solution.

My seccond prefered is the one I have setup now; I had a spare F5 LB lying around and put it to use 🙂

The most prefered one is of course to have it all cleanly configured in one device; The asa. Cisco has got to have a way to do this...

Checkpoint an juniper all can do this type of packet-crafting, perhaps I'm just overlooking something obvious.

Re: Conditional Nat on an ASA

bart.mollemans — Sat, 29 Dec 2007 02:25:47 GMT

perhaps idd... I was just staring myself blind at the asdm gui. In commandline this makes perfect sense. So in effect we have 2 static policy Nat's with for the Original source 192.168.1.a(192.168.1.b for 2nd packet), original destination object group siteA(siteB for 2nd packet). And on the outside interface a translated address of 31.1.1.1. thx I'll try and let you know Srue.