topic Static NAT to IP that is not local to ASA? in Network Security

Static NAT to IP that is not local to ASA?

Brandon Svec — Mon, 11 Mar 2019 23:10:44 GMT

All, I have a doubt about a configuration I am requesting. I know just a little about ASA myself, but am working with a contractor on this project and he is not sure this can be done or not.

My applciation is this:

- ASA with internet and some public IP.

- Exisiting internal LAN of 10.10.10.0/24.

- New voice VLAN 10.10.100.0 on L3 SGE switch doing inter-vlan route between 10.10.100.0/24 and 10.10.10.0/24 via 10.10.10.1 (ASA internal interface)

- ASA will have static route to 10.10.100.0/24 via 10.10.10.254 (data VLAN interface on my L3 switch) This much is a known working configuration for me to allow voice and data vlans to route and require very little of firewall contractor.

Now I need static NAT of a public IP to my IP PBX on 10.10.100.1. The doubt I have is if they try to configure this the ASA will not want to make a NAT to 10.10.100.1 because that network does not exist anywhere in the ASA config.

Is there a way to make this work or will it be required/better to use an extra interface no the ASA and make it 10.10.100.0/24 and have the ASA do inter-vlan routing instead of the switch?

Thanks in advance,

Brandon

Static NAT to IP that is not local to ASA?

Jennifer Halim — Thu, 24 May 2012 00:50:52 GMT

What you are trying to configure is achievable. Voice VLAN does not need to be a subnet on the ASA as long as you have a route to that subnet as you have configured on the ASA, it would be fine.

Can you please share what you have tried to configure and the error message when you are trying to configure it and it does not take it?

For inbound access from the internet, you would need static NAT configured as well as access-list on the outside interface.

Static NAT to IP that is not local to ASA?

Brandon Svec — Thu, 24 May 2012 03:23:33 GMT

Thanks very much for the reply. I agree with you, but the person working on the firewall led me to think otherwise..

The implementation will not happen untill Friday when they move their ASA to a new location where I have already installed the switch and IP PBX. So I won't be able to try anything until then, but thank you for clearing my doubt about if static NAT can work to a subnet not on the ASA.

Static NAT to IP that is not local to ASA?

Julio Carvajal — Thu, 24 May 2012 05:51:29 GMT

Hello Brandon,

I agreewith Jeniffer, this can be done using the same inside interface.

The ASA will be involved on this as it will have a route to that particular PBX on it's inside interface.

What you need to make sure is that the layer 3 device connecting to 10.10.10 and 10.10.100 does not do any nat between them so the ASA can handle that.

Regards,

Julio

DO rate all the helpful posts

Static NAT to IP that is not local to ASA?

Brandon Svec — Fri, 25 May 2012 19:02:23 GMT

Help please.. I am working on this now and not yet concerned with the static NAT but can't get simple internal static route to work. I need ASA inside 10.10.10.0/24 to route to 10.10.100.0/24 voice network conencted via 10.10.10.254 on my L3 switch.

I did this command:

route inside 10.10.100.0 255.255.255.0 10.10.10.254

and now I can ping 10.10.100.1 from ASA but not from 10.10.10.0 network because I think ACL is needed to allow route between subnets but I don't know what it should like.

Thanks,

Static NAT to IP that is not local to ASA?

Jennifer Halim — Fri, 25 May 2012 23:47:41 GMT

Your 10.10.10.0 network should have default gateway as the switch 10.10.10.254 instead of the ASA. Then the switch should have default gateway pointing towards the ASA.

Reason is because ASA will drop the packet if it does not see the complete session for security reason.

If you change your host in 10.10.10.0/24 network default gateway to the switch, it will work just fine.

Let me know how it goes or if you have any further question.

Static NAT to IP that is not local to ASA?

Brandon Svec — Sat, 26 May 2012 17:29:46 GMT

Thanks for the reply. Since I don't have access to the ASA myself I now have to wait until Tuesday to go back and test things.. I appreciate your input and will update when resolved or if I still need help.

Static NAT to IP that is not local to ASA?

Brandon Svec — Tue, 29 May 2012 15:24:44 GMT

The inside static route is now working, thank you. Back to my original question about static NAT. I just need a public IP to pass all traffic to an internal IP that is on the 10.10.100.0/24 network not directly conencted to the ASA. I am thinking this would be the command:

static (outside,inside) 10.10.100.1 222.222.222.222 netmask 255.255.255.255

Does that seem correct and can you provide an example of what the ACL would look like? I want to just allow all traffic now for the purpose of remote IP phones and some admin and mobile apps using various ports. Once it is tested working I will let the firewall vendor layer security on.

Thanks again,

Brandon

Static NAT to IP that is not local to ASA?

Jennifer Halim — Tue, 29 May 2012 19:29:42 GMT

It should be:

static (inside,outside) 222.222.222.222 10.10.100.1 netmask 255.255.255.255

The above static statement works bidirectionally.

Also if the traffic is originated from the Internet, you would need to configure access-list and apply that to your outside interface.

Eg:

access-list outside-acl permit ip any host 222.222.222.222

access-group outside-acl in interface outside

If you already have an existing access-list applied to the outside interface, just add the permit statement to the existing access-list.

Hope that helps.