topic Re: NAT Question in Network Security

NAT Question

Legusol — Fri, 21 Feb 2020 16:43:46 GMT

Our ISP has issued us two subnets: one is a /30 subnet and the other is a /28. For the sake of this discussion (with false IPs) the /30 is 46.181.101.212/30 with the provider assigned .213 and our WAN on .214. The /28 is 46.181.101.112/28. They are routing the 46.181.101.112/28 to our WAN interface. We have NAT for all users to come from our WAN (48.181.101.214) with a default route pointing to 48.181.101.213.

We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.

Can anyone give us some insight? Thanks!

Re: NAT Question

Jon Marshall — Wed, 30 Jan 2019 22:17:07 GMT

Assuming this is 8.3 or later code it is probably to do with the ordering of your NAT statements.

On 8.3 or later NAT is split in 3 sections and it goes through the sections in order so what is probably happening is that the traffic outbound is being caught by the wrong NAT statement and the solution may be as simple as reordering your statements.

Have a read of this document which explains the above in more detail and gives some recommendations as to how to configure your NAT statements -

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Jon

Re: NAT Question

Legusol — Wed, 30 Jan 2019 22:44:10 GMT

Hi Jon, I thought about that previously and created the NAT as a NAT before Network Object and moved it all the way to the top of the list.

When I run a packettracer test as well is shows that it should be picking up this NAT.

Re: NAT Question

Sheraz.Salim — Wed, 30 Jan 2019 23:58:08 GMT

object network REAL

host 10.0.0.25

object network MAPPED

host 46.181.101.214

nat (inside,outside) source static REAL MAPPED

access-list OUT-IN exten permit tcp any object REAL eq 443

access-group OUT-IN in interface outside

Re: NAT Question

Legusol — Thu, 31 Jan 2019 15:12:39 GMT

This was actually a "stupid" mistake on my part. We are in the process of changing to a new server for this and when I was setting up the NAT I was using the new server inside IP address but I still had the old server relaying the traffic. So in essence, I have the NAT set up correctly, I was just using the wrong IP address for the REAL server.

I just needed an overnight break to realize that!!!

Thank you both. I accept both as a resolution since NAT was the issue the the commands provide by Sheraz were correct. Thank you both!

Re: NAT Question

Sheraz.Salim — Thu, 31 Jan 2019 15:15:17 GMT

@LegusolI did noticed that wrong ip address in your packet tracer and i was curious why you doing this. also i was tired too and this also get over looked from me other wise i have mentioned to you.

anyway good to hear all sorted.