topic Re: NAT Challenges in Network Security

NAT Challenges

Steven Williams — Fri, 21 Feb 2020 16:49:10 GMT

I think I need a twice nat but i have never done one and its confusing to me.

My scenario is this:

Client A = 10.81.113.10

Server B = 10.0.1.4

Site A has Client A

Site B has Server B

Client A cannot hit Server B on its IP address (real IP). Server B sits behind an ASA. I have created a one to one nat for Client A to hit 172.16.3.4 rather then 10.0.1.4.

object network SERVER_EXTERNAL_NAT_IP
host 172.16.3.4
object network SERVER_INTERNAL_IP
host 10.0.1.4

object network SERVER_INTERNAL_IP
nat (inside,outside) static SERVER_EXTERNAL_NAT_IP

So from client A to that server communication works. Now here is the issue. Because client A has an application that is set to talk to 172.16.3.4, when Server B makes a connection to Client A it uses its real IP of 10.0.1.4 and the application doesn't understand that. So how do I make sure when the server communicates out to JUST client A that its IP is source IP is 172.16.3.4?

Re: NAT Challenges

Francesco Molino — Fri, 15 Feb 2019 00:39:49 GMT

You can use the following commands:

object network SERVER_EXTERNAL_NAT_IP
host 172.16.3.4
object network SERVER_INTERNAL_IP
host 10.0.1.4

object network CLIENTA

host x.x.x.x

!
nat (inside,outside) source static SERVER_INTERNAL_IP SERVER_EXTERNAL_NAT_IP destination static CLIENTA CLIENTA no-proxy-arp route-lookup

Test it and let me know.

Also, if not working, run the following command and pase the output into a text file:

packet-tracer input inside icmp 10.0.1.4 8 0 x.x.x.x —> where x.x.x.x is client A IP

Re: NAT Challenges

Steven Williams — Fri, 15 Feb 2019 13:51:46 GMT

ERROR: Option route-lookup is only allowed for static identity case

Re: NAT Challenges

Steven Williams — Fri, 15 Feb 2019 14:17:41 GMT

I think what I am trying to accomplish is impossible.

Lets say I have Server B at site B, one single network card, 10.0.1.2. Local things connect to 10.0.1.2, but when I create the NAT for Site A to connect to it on 172.16.3.4, the local communication stops working? is it because of the NAT on the firewall?

Re: NAT Challenges

venkat_n7 — Fri, 15 Feb 2019 15:34:19 GMT

if it only has one nic card, Yes. it can either support one rule(without NAT or With NAT). to accomplish that, i would do it with two nic cards, one for local network and other for external and add routing rules on the server.

Re: NAT Challenges

Francesco Molino — Fri, 15 Feb 2019 16:20:10 GMT

Yeah sorry for the route-lookup my bad.

However, on which asa you're setting this nat on site B or site A?

Can you share a quick sketch on how everything is setup? What you want to do is possible, now it depends on how and this will depend on your design?
I just assumed a design based on description you gave but maybe I assumed wrong. That's why I'm asking a quick design