topic Re: Policy static NAT on ASA in Network Security

Policy static NAT on ASA

smunzani — Mon, 11 Mar 2019 12:31:46 GMT

Hi,

I have ASA box here running 7.2.3 code. Below is the goal.

Simple configuration. Inside and outside. When inside subnets go on internet use the PAT(global and nat commands). However if the inside hosts go to a specific address(my 3rd party MSP), the source addresses should be NATed.

Below is my config.

access-list msp-nat permit ip 192.168.1.0 255.255.255.0 host 2.2.2.2

static(inside,outside) 10.99.1.0 access-list msp-nat netmask 255.255.255.0

However the issue is netmask is a valid option if you hit ?, however when you type that up, it tells me its not a valid option.

my-fw(config)# static (inside,outside) 10.99.1.0 access-list msp-nat netmask 255.255.255.0

invalid option netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

I am sure I am not the 1st guy who is running on to this requirement. Almost all of 3rd party VPN connections require some kind of NAT to avoid overlapping IPs.

Any help is greatly appreciated.

Re: Policy static NAT on ASA

acomiskey — Tue, 15 Apr 2008 19:25:21 GMT

From command ref:

"If you use the access-list keyword instead

of the real_ip, then the subnet mask used in the access list is also used for the

mapped_ip."

So you should be able to do...

access-list msp-nat permit ip 192.168.1.0 255.255.255.0 host 2.2.2.2

static (inside,outside) 10.99.1.0 access-list msp-nat

Re: Policy static NAT on ASA

smunzani — Tue, 15 Apr 2008 19:35:20 GMT

That's what I am trying now but how does it know it needs to do subnet to subnet NAT? Usually on static command you define the mask. Here we don't have the mask defined on static command. The mast on the ACL is only for triggering the policy NAT.

Re: Policy static NAT on ASA

sundar.palaniappan — Tue, 15 Apr 2008 19:42:48 GMT

The source subnet mask used in the access list is also used for the mapped addresses.

I don't know why the CLI is even showing the netmask as an option since it's not part of the static command structure.

For policy static NAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}

access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp

udp_max_conns]

Create the access list using the access-list command (see the "Adding an Extended Access List" section). This access list should include only permit ACEs. The source subnet mask used in the access list is also used for the mapped addresses. You can also specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the "Policy NAT" section for more information.

HTH

Sundar

Re: Policy static NAT on ASA

acomiskey — Tue, 15 Apr 2008 19:44:32 GMT

It takes the mask from the real address in the acl.

So it's almost like..

static (inside,outside) 10.99.1.0 192.168.1.0 netmask 255.255.255.0

You're just moving the real ip and mask up to the acl.

Re: Policy static NAT on ASA

smunzani — Tue, 15 Apr 2008 20:02:19 GMT

It doesn't seem to be working though. I don't see ACL hit counts anywhere. Here is full sanitized config.

access-list msp-vpn extended permit ip 10.0.66.0 255.255.255.0 host 172.19.1.1

access-list msp-nat extended permit ip 192.168.1.0 255.255.255.0 host 172.19.1.1

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) 10.0.66.0 access-list msp-nat

crypto map vpn-map 10 match address msp-vpn

crypto map vpn-map 10 set peer x.x.x.x

crypto map vpn-map 10 set transform-set ESP-3DES-MD5

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

MYFW(config)# show xlate

36 in use, 250 most used

Global 10.0.66.0 Local 192.168.1.0

PAT Global x.x.x.x(1798) Local 192.168.1.124(3019)

<< more output trimmed here >>

So with this config, I don't even see the VPN triggering since NAT doesn't trigger. Show access-list doesn't show hit count increment on neither of the ACLs mentioned above.

Re: Policy static NAT on ASA

sundar.palaniappan — Tue, 15 Apr 2008 20:08:39 GMT

Configuration looks good. Did you do a 'clear xlate' after the configuration change? If still doesn't work try the policy nat instead of the policy static NAT.

Re: Policy static NAT on ASA

Jon Marshall — Tue, 15 Apr 2008 20:10:10 GMT

Sam

Could you try this just to make sure it's not something else

1) remove the static entry

2) add the following config

nat (inside) 2 access-list msp-nat

global (outside) 2 10.0.66.0 255.255.255.0

Jon

Re: Policy static NAT on ASA

smunzani — Tue, 15 Apr 2008 20:18:19 GMT

That doesn't work for me since that would work only for traffic from inside to outside. I need static since MSP needs to reach each individual IPs for monitoring purposes. We need to reach MSP server to sent traps/syslog.

To prove my logic here, I ran capture command with an ACL and ping destination IP.

access-list debug-nat extended permit ip any host 172.19.1.1

capture debug-inside type raw-data access-list debug-nat buffer 1024000 interface inside

capture debug-outside type raw-data access-list debug-nat buffer 1024000 interface outside

MYFW(config)# sh capture debug-inside

3 packets captured

1: 13:08:28.210468 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

2: 13:08:33.365383 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3: 13:08:38.864976 802.1Q vlan#1 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3 packets shown

MYFW(config)# sh capture debug-outside

4 packets captured

1: 13:08:28.210651 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

2: 13:08:33.365535 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

3: 13:08:38.865143 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

4: 13:08:44.364834 802.1Q vlan#2 P0 192.168.1.5 > 172.19.1.1: icmp: echo request

Re: Policy static NAT on ASA

smunzani — Wed, 16 Apr 2008 12:46:05 GMT

Team,

Thanks a lot to whoever responded. This thing might have already been working all along but because of my VPN issues, I was testing it with packet capture. I was just comparing packet capture on inside and outside interface and it still shows original source address. I guess it has something to do with order or operation.

If you want to see where and how the NAT happens, run packet-tracer on the ASA and you will see it clearly like this.

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 10.99.1.0 access-list msp-nat

nat-control

match ip inside 192.168.1.0 255.255.255.0 outside host 172.19.1.1

static translation to 10.99.1.0

translate_hits = 13, untranslate_hits = 0

Additional Information:

Static translate 192.168.1.0/0 to 10.99.1.0/0 using netmask 255.255.255.0