topic Re: Double NAT ? in Network Security

Double NAT ?

David Dobbs — Mon, 11 Mar 2019 13:51:32 GMT

On an ASA 5520 ver 8.0(4) I have the following NAT senario:

From my private interface "b2b-bastion" I want the following translation to occur when a packet goes from interface b2b-bastion to the external interface "b2b-dmz" and returns:

b2b-bastion (packet in):

src - 172.24.24.21

dest - 69.129.150.67

b2b-dmz (packet out)

src - 208.83.222.130

dest - 192.168.0.150

Conversely, I want returned traffic from 192.168.0.150 to translate as follows:

b2b-dmz (packet in)

src - 192.168.0.150

dest - 208.83.222.130

b2b-bastion (packet out):

src - 69.129.150.67

dest - 172.24.24.21

Basically, the network on b2b-bastion interface sees 192.168.0.150 as 69.129.150.67. The network on b2b-dmz sees 172.24.24.21 as 208.83.222.130.

Any ideas on how to get this to work? No VPN tunnels involved here.

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 02:35:35 GMT

static (b2b-bastion, b2b-dmz) 192.168.0.150 access-list 100

static (b2b-dmz, b2b-bastion) 69.129.150.67 access-list 101

access-list 100 pemrit ip host 172.24.24.21 host 69.129.150.67

access-list 101 permit ip host 192.168.0.150 host 208.83.222.130

the above dose 50% of what u want

i think not sure u may need two device to get fully nated as u want it " not sure"

Re: Double NAT ?

Matthew Warrick — Wed, 01 Oct 2008 02:58:57 GMT

With the assumption that: inside=b2b-bastion and outside=b2b-dmz

static (b2b-dmz,b2b-bastion) 172.24.24.21 208.83.222.130 netmask 255.255.255.255

static (b2b-bastion,b2b-dmz) 69.129.150.67 192.168.0.150 netmask 255.255.255.255

That is if I am understanding your conditions completely. A single ASA can bi-directionally NAT this just fine.

Try to think of in these terms:

outside NAT --> static (outside,inside) local_ip global_ip netmask 255.255.255.255

inside NAT --> static (inside,outside) global_ip local_ip netmask 255.255.255.255

The "global_ip"s are the NAT'd "real" addresses that the external networks will be reaching.

Hope that helps.

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 03:05:46 GMT

hi Matthew

u mean the above nating will be prossed two times in each direction ?

Re: Double NAT ?

Matthew Warrick — Wed, 01 Oct 2008 03:15:18 GMT

Yes with bidirectional statics both the source and destination networks will be translated depending on the direction they are heading through the firewall. Assuming I understood the original question completely.

Viewing the xlate table on the firewall with the command "sh xlate det" will display both the NAT translations as the firewall sees them.

There are drawbacks to using "outside NAT" but it is beyond the scope of the question I think.

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 03:30:09 GMT

ok this is what i know and expected to be done

but if u look on his question he wants the source and dist to be translated when going out and the smae when going back

while i think urs and mine dose 50% of this

am i right ?

Re: Double NAT ?

David Dobbs — Wed, 01 Oct 2008 03:46:30 GMT

Thanks to all for your replies. I do have the static NATs in place as suggested and when I use the trace tool on the GUI (ASDM) it seems like it should work and the xlates look fine, it just doesn't pass traffic through the firewall from b2b-bastion out b2b-dmz.

One thing I left out in my hast to get this message out was that the 192.168.0.0/24 network (for 192.168.0.150) is not directly connected to the b2b-dmz interface. It is on the other side of a gateway that the b2b-dmz points to. I tried putting a routing statement in for 192.168.0.150 pointing to this gateway out the b2b-dmz interface; however, it still does not pass traffic. The gateway address is 208.83.222.2

Any ideas?

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 04:08:56 GMT

if u can post a simple drown topology for u network !

Re: Double NAT ?

Matthew Warrick — Wed, 01 Oct 2008 04:11:08 GMT

If you have other routers to pass through along the way you will want to move the nat operation to the last hop routers on each side where those RFC 1918 networks are reachable via the server's local_ip.

Something like this:

172 host <-> NAT firewall <-> NAT router <-> 192 host

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 04:31:18 GMT

which is exactly like what i suggested in my first post " u need other device to do nating with firewall" this way u will do part of nating on the firewall and the other on the router

good luck

Re: Double NAT ?

cisco24x7 — Wed, 01 Oct 2008 11:07:43 GMT

When it comes to complex NAT, you need a

Checkpoint firewall to do the job for you.

Cisco ASA does not do a very good of complex

NAT. Even when you get it to work,

maintaining it is a pain in the ass.

What you described, I just tested and get it

to work on Checkpoint Firewall in 5 minutes,

and that it worked on the very first attempt.

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 11:18:09 GMT

i think the issue above with a cisco firewall not a comerison between vendors features

Re: Double NAT ?

David Dobbs — Wed, 01 Oct 2008 11:41:33 GMT

Attached is a drawing of what I'm trying to do (in jpeg format).

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 12:14:09 GMT

i think now everything is fune exept the 69.129.150.67

try the following

creat a loopback interface on the router

interface loopback 0

ip address 69.129.150.66 255.255.255.0

assumeing that the 69.129.150.0 is /24

on the ASA add the following route

route b2b-dmz 69.129.150.0 255.255.255.0 208.83.222.2

again the mask of the 69.129.150.0 must be right if it is not /24 put the right one instead

now we will nat the 172.24.24.21 on the firewall as following

static (b2b-bastion, b2b-dmz) 208.83.222.130 172.24.24.21 netmask 255.255.255.255

and make sure there is and ACL on the b2b-dmz that allow traffic from 69.129.150.0 network or only from 69.129.150.67 host going to 208.83.222.130

now on the router we will make the nat inside as the interface connected to the server 192.168.0.0/24 i will consider it as fa0/0

and the nat outisde i will make it on the loopback0 as it is in deffrent network which is 69.129.150.0

ip nat inside source static 192.168.0.150 208.83.222.150

on the interface facing the server do

fa0/0

ip nat inside

interface loopback0

ip nat outside

if didnt work try to make the foolwing addetion

access-list 100 permit ip host 192.168.0.150 host 208.83.222.130

route-map nating

match ip address 100

ip nat inside source static 192.168.0.150 208.83.222.150 route-map nating

good luck

the only problem with the 69. network that why i made loopbackinterface

if the treck didnt work u need to change the 69 network with IP in 208 network range then 100% will work

try it and let me know

IMPORTANT after u finish all nating config reload both the router and the Firewall then test it

Re: Double NAT ?

David Dobbs — Wed, 01 Oct 2008 12:28:12 GMT

Thank you for this solution.

So is there no way to do a double NAT on the ASA? I have an ACL that allows traffic between the two destination hosts, I see the translations in the xlate table, it just doesn't route out the b2b-dmz interface to get to 192.168.0.150. I've tried this routing statement on the ASA but it doesn't seem to work:

route b2b-dmz 192.168.0.150 255.255.255.255 208.83.222.2 1

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 12:34:36 GMT

the problem with 69

u have two way either change the 69 network ip with an ip in the 208 network

or try to creat the loopback and make the ip as i mentioned and make a route for that ip point to the router interface

this is i mean based on the two nats on the ASA

and let me know

good luck

Re: Double NAT ?

David Dobbs — Wed, 01 Oct 2008 12:55:35 GMT

I did your first suggestion of doing a NAT on the ASA and a NAT on the router. That worked so I'll go with that.

Many thanks to all the contributors to this issue!

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 12:58:50 GMT

u mean u created loopback and everything as i mentioned?

and congrtulations anyway:)

if helpful Rate

Re: Double NAT ?

Marwan ALshawi — Wed, 01 Oct 2008 14:03:22 GMT

thanks for rating

i just wanna make sure the loopback idea worked because i just thought about it logicaly

tahnks

Re: Double NAT ?

David Dobbs — Wed, 01 Oct 2008 19:53:11 GMT

You pointed me in the right direction about separating the NATs on two seperate devices; however, the gateway is really another ASA with a VPN tunnel to the 192.168.0.0/24 network (192.168.0.150 host). So I didn't use a loopback address but used the following static NAT statement:

static (external,b2b-dmz) 69.129.150.67 192.168.0.150 netmask 255.255.255.255

Sorry but I did not want to complicate my senario with the ASA VPN concentrator since I was originally trying to double NAT on our ASA firewall that is behind the ASA VPN concentrator which is the gateway to our firewall for our VPN connections.

Thanks Again!