topic Re: ASA (policy) NAT help in Network Security

ASA (policy) NAT help

whiteford — Mon, 11 Mar 2019 15:29:12 GMT

Hi,

I think this might a be policy NAT required, but I have never tried this before.

On our LAN we have a subnet 192.168.100.x/24 and this need to get to an IP range of 10.100.0.32/27 which is a remote company network, tyhe thing is they also have a network on 192.168.100.x/24 so I want 192.168.100.x/24 to be NAT'ed to 192.168.90.0/24 only if going to this netork.

Possible

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 09:39:26 GMT

Yes this is possible - you need to use PolicyBased NAT

HTH>

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 09:50:39 GMT

Do you have an example of this.

Inside range he is on is

192.168.100.x/24 and he need to get to 10.100.0.32/27

I want him to be seen as 192.168.90.x/24 or 192.168.90.240 if easier?

Thanks

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 09:57:46 GMT

The config would be something like:-

access-list <> extended permit ip <> <

static (inside,outside) <> access-list <>

HTH>

Re: ASA (policy) NAT help

handsy — Fri, 08 May 2009 10:26:41 GMT

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

static (inside,outside) 192.168.90.240 access-list policy_NAT

If there is a match in the ACL 'policy_NAT' then the 192.168.100.x address will be translated to 192.168.90.240

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 11:00:29 GMT

hi,

When adding "static (inside,outside) 192.168.90.240 access-list policy_NAT

I seem to get the error:

global address overlaps with mask

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 11:08:49 GMT

Check your ACL.

Re: ASA (policy) NAT help

handsy — Fri, 08 May 2009 11:10:18 GMT

Use NAT instead:

access-list policy_NAT permit ip 192.168.100.0 255.255.255.0 host 10.100.0.32

global (outside) 1 192.168.90.240

nat (inside) 1 access-list policy_NAT

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 11:14:13 GMT

Can host 10.100.0.32 be a range 10.100.0.32/27 ?

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 11:19:52 GMT

Yes

Re: ASA (policy) NAT help

handsy — Fri, 08 May 2009 11:20:05 GMT

Yes, just take out :

host 10.100.0.32

and replace with

10.100.0.32 255.255.255.224

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 11:34:10 GMT

Tried this but it didn't work, this my fault the interface where this network lives is off acn interface on the ASA called "DMZ3":

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

Re: ASA (policy) NAT help

handsy — Fri, 08 May 2009 11:43:40 GMT

You need to detail the error, or why you say it didn't work.

Have you forced the connection from the 192.168.100.0/24 to the 10.100.0.32/27 network?

Does 'show xla' give you a translation?

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 11:50:30 GMT

Then you need to change nat (<>) 2 access-list policy-nat-2

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 11:50:44 GMT

Sorry that was very brief of me.

I have added this as you know:

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (inside) 2 access-list policy-nat-2

the 192.168.100.x is on the inside and 10.100.0.32/27 is on the DMZ3 interfcae on the ASA which is were this WAN is installed to this remote network.

Let me look at the NAT translations.

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 12:06:54 GMT

I didn't see any translations:

Does this look ok to you guys, sorry for all the silly confusion I have created.

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (outside) 2 192.168.90.240

nat (DMZ3) 2 access-list policy-nat-2

I went to the PC with 192.168.100.x amd pinged 10.100.0.61 which I know is live and got a request timeout.

Re: ASA (policy) NAT help

andrew.prince — Fri, 08 May 2009 12:23:32 GMT

Config looks OK - can you confirm that layer 3 deivces on the 10.100.0.32/27 subnet know "how" to get "back" to 192.168.90.x thru 192.168.100.x ?

Are you allowing icmp - echo-replies back into the outside interface of the ASA?

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 12:25:47 GMT

192.168.90.x can ping 10.100.0.32/27 as I'm pinging from that subnet.

I guess they will just send replies to 192.168.90.240 that translates to 192.168.100.x?

Is this staic NAT better than a policy NAT?

Re: ASA (policy) NAT help

handsy — Fri, 08 May 2009 12:33:18 GMT

I think you have your bracketed interfaces the wrong way round for global and nat.

global (DMZ3)

nat (inside)

Re: ASA (policy) NAT help

whiteford — Fri, 08 May 2009 14:18:38 GMT

Sadley, I couldn't get this to work:

I tried these 2 configs:

1.)

access-list policy-nat-2 permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

global (DMZ3) 2 192.168.90.240

nat (outside) 2 access-list policy-nat-2

When i do a packet trace I get a drop:

packet-tracer input inside icmp 192.168.100.32 0 1 1 10.100$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in Remotesvr_Servers 255.255.255.224 DMZ3

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in VLAN100 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 137, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

2.)

access-list inside_outbound_nat0_acl extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat-2 extended permit ip 192.168.100.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,DMZ3) 192.168.90.240 access-list policy-nat-2

On this one I get the error "global address overlaps with mask"