topic Re: Dynamic NAT - Outside Interface. Is it possible? in Network Security

Dynamic NAT - Outside Interface. Is it possible?

cavemanbobby — Mon, 11 Mar 2019 15:45:48 GMT

I have a web server on our inside network (10.15.20.20) that I'd like to have receive responses from a /29 block of external IP addresses within my outside interface's IP block. So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?

I can get it to work with a 1-to-1 Static NAT translated/redirected to 10.15.20.20. But I can't seem to get that /29 to translate to the inside address. I've tried Dynamic Policy NAT, Dynamic NAT, with access list config attempts, but it just doesn't want to take.

I'm hearing rumblings that it's not possible, to which I'd be surprised as this is possible on other vendor's firewalls.

I attached my config with clear examples of what might be a futile attempt 🙂

Any thoughts would be appreciated.

Re: Dynamic NAT - Outside Interface. Is it possible?

Jon Marshall — Fri, 19 Jun 2009 18:50:29 GMT

Robert

If i understand you correctly, have a look at this thread -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB?cmd=pass_through&location=outline@^1@@.2cd2616a/6#selected_message

If i have misunderstood please let me know.

Jon

Re: Dynamic NAT - Outside Interface. Is it possible?

svaish — Tue, 23 Jun 2009 09:00:20 GMT

As you said "So basically I'd like any web traffic that hits 222.222.222.176/29 automatically get translated/redirected from the outside to 10.15.20.20. Is this possible?"

you should translate your want any one who hits 222.222.222.176 to get translated to 10.15.20.20, if that is correct,

you need

ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20

Re: Dynamic NAT - Outside Interface. Is it possible?

cavemanbobby — Tue, 23 Jun 2009 14:17:39 GMT

You understood correctly and thank you for the link. I had actually seen that thread earlier and from what it seems, I'm going to have to go that route.

I was trying to avoid having to create separate access lists for each as one of my requirements is going to be to have a complete /27 external IP to a single internal IP. That, from what I understand, is going to be 30 separate access lists. A bit tedious, but certainly doable.

Many thanks.

Re: Dynamic NAT - Outside Interface. Is it possible?

cavemanbobby — Tue, 23 Jun 2009 14:21:38 GMT

svaish,

Thank you for your response. I tried doing that, but it won't let me give a netmask of 255.255.255.248 after my 222.222.222.176, which would fulfill my /29 external IP requirement.

By doing

ASA(config)# static (inside,outside) 222.222.222.176 10.15.20.20

Will only give me that one IP (.176) translated externally to the inside.

I needed all six IPs on the outside translated to one inside address.

I'll continue to plug away.

Cheers.

Re: Dynamic NAT - Outside Interface. Is it possible?

Stuart Hare — Tue, 23 Jun 2009 19:46:36 GMT

If your trying to do an Outside to Inside dynamic nat then yes this is possible.

You need to use the outside keyword at the end of your nat statement to tell the device its outside nat.

hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]

[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]

outside-If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside to identify the NAT instance as outside NAT.

Check out the link below maybe of assistance.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/cfgnat.html

Hopefully I have understood you 🙂

HTH

Stu

Re: Dynamic NAT - Outside Interface. Is it possible?

svaish — Wed, 24 Jun 2009 05:26:43 GMT

YOUR PUBLIC IP

222.222.222.176

222.222.222.177

222.222.222.178

222.222.222.179

222.222.222.180

222.222.222.181

222.222.222.182

YOUR inside server = 10.15.20.20

Configuration required

create six different access list like this

access-list a1 line 1 extended permit ip host 10.15.20.20 any

access-list a2 line 1 extended permit ip host 10.15.20.20 any

access-list a3 line 1 extended permit ip host 10.15.20.20 any

access-list a4 line 1 extended permit ip host 10.15.20.20 any

access-list a5 line 1 extended permit ip host 10.15.20.20 any

access-list a6 line 1 extended permit ip host 10.15.20.20 any

Apply Static command

static (Inside,outside) 222.222.222.176 access-list a1

static (Inside,outside) 222.222.222.177 access-list a2

static (Inside,outside) 222.222.222.178 access-list a3

static (Inside,outside) 222.222.222.179 access-list a4

static (Inside,outside) 222.222.222.180 access-list a5

static (Inside,outside) 222.222.222.181 access-list a6

May Help!