topic Little Issue with NATing in Network Security

Little Issue with NATing

sly007 — Mon, 11 Mar 2019 21:05:37 GMT

Kindly help me with this scenario.

On my ASA fiewall, I had allowed direct translation to other Networks, using Access List to filter.

Now I have been required to use NAT to reach some specific hosts on other Networks

I want to use a particular Public IP address (not tied to an interface) for this purpose, (that is many-to-one mapping).

But two issues always result when i try to do this.

1. Each time I map another network to this same single IP Address, it tells me there is NAT pool overlap.

([WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.)

2. Each time I apply the configurations, the previous internal networks that have been working fine, through the direct translation would stop accessing the outside Network.

How do I make the internal Network to be able to access the Outside Network through the direct translation and through the NAT Rule when required, and also be able to map multiple internal networks to the same single IP address without overlapping warning?
Thank you.

Below are some of the errors I receive.

[WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[OK] no nat after-auto 1

[OK] object-group network DM_INLINE_NETWORK_3

object-group network DM_INLINE_NETWORK_3

[OK] network-object object Application_Team

[OK] network-object object Network_Team

[WARNING] nat (inside,outside) after-auto 1 source dynamic DM_INLINE_NETWORK_3 NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[OK] no nat after-auto 1
[OK] object-group network DM_INLINE_NETWORK_3
object-group network DM_INLINE_NETWORK_3
[OK] network-object object Application_Team
[OK] network-object object Network_Team
[WARNING] nat (inside,outside) after-auto 1 source dynamic DM_INLINE_NETWORK_3 NAT_For_Gemalto description Gemalto Servers to be accessed
Pool (172.20.20.52) overlap with existing pool.

Little Issue with NATing

andrew.prince — Fri, 29 Jul 2011 14:04:05 GMT

Policy based nat - using access-lists defined by source/destination would be a good place to start.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

HTH>

Little Issue with NATing

sly007 — Fri, 29 Jul 2011 16:32:08 GMT

Does ASA 8.4.1 support policy-based NATing?

Little Issue with NATing

Julio Carvajal — Fri, 29 Jul 2011 17:14:46 GMT

Hi Sly007,

On this version you got to use twice Nat, On this you are going to nat a source IP to a Mapped IP regarding of the destination, And the destination could be natted if you want it.

Here is the link where you will find how to set it up

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_rules.html

Let me know if you have any questions

Regards,

Little Issue with NATing

sly007 — Fri, 29 Jul 2011 22:02:35 GMT

Thank you Jcarvaja,

Attempts to launch the url returns with "Forbidden File or application"

Can you help please?
Thank you.

Little Issue with NATing

Julio Carvajal — Fri, 29 Jul 2011 22:11:11 GMT

Hello Sly007

Try this ones :

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/asdm63/configuration_guide/nat_rules.html

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_rules.html

The first one its for ASDM config and the second one using CLI