topic Re: ASA 5508 in Network Security

ASA 5508

Angelos — Fri, 21 Feb 2020 15:54:06 GMT

Hello to all this is my first post so i would try to keep it simple and clean.

I got 2 internal ip's that i want to translate them to 2 external ip's .Each one on its own.

Lets say x.x.x.10 to x.x.x.200 and x.x.x.11 to x.x.x.201.

Now which concept should i use i dont want to use dynamic nat with pool since i want to bind each address to its own .I have read about Twice Nat but i am not sure if is the right way to do it .

Any help would be appreciated thank you.

Re: ASA 5508

Daniele Giordano — Wed, 20 Jun 2018 08:03:36 GMT

Hi, you can use also dynamic pool. In this way the hosts will not be "exposed" to internet. This is an example:

conf t

object network HOST1

host x.x.x.10

nat (inside, outside) dynamic x.x.x.200

object network HOST2

host x.x.x.11

nat (inside, outside) dynamic x.x.x.201

otherwise you must use static rules, example:

static (inside,outside) x.x.x.x.200 x.x.x.10 netmask 255.255.255.255

static (inside,outside) x.x.x.x.201 x.x.x.11 netmask 255.255.255.255

The commands can be different based on the ASA fw verison.

Regards.

Re: ASA 5508

Angelos — Wed, 20 Jun 2018 10:58:42 GMT

Thank you for the reply .

Just clarify something since i am not the initial configurator of this ASA and my knowledge to it is limited to a point here is what i got now.

show xlate
3 in use, 622 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:x.x.x.13 to DMZ:x.x.x.13
flags s idle 407:21:47 timeout 0:00:00
NAT from outside:x.x.x.14 to DMZ:x.x.x.14
flags s idle 407:21:47 timeout 0:00:00

NAT from DMZ:10.x.x.13 to outside:151.x.x.13 flags i idle 0:00:40 timeout 3:00:00

Now they want the .14 network to be nated dmz to the public .14 network .Any ideas thank you for

your time.

Re: ASA 5508

Daniele Giordano — Wed, 20 Jun 2018 11:53:33 GMT

Hi, you can try these commands:

conf t

object network x.x.x.14

subnet x.x.x.0 255.255.255.0 !!! you must set ip and subnetmask according to your scenario

nat (DMZ, outside) dynamic x.x.x.14 !!! configure the public ip

Regards.

Re: ASA 5508

Angelos — Wed, 20 Jun 2018 12:35:18 GMT

I am getting that:WARNING: Pool (151.x.x.14) overlap with existing pool.

after doing

show nat pool

i get this results

NAT pool outside:NatPool, range 151.x.x.13-151.x.x.14, allocated 1.

On your previous recommendation the

conf t

object network x.x.x.14 ---- is the internal ip i guess

Thank you .

Re: ASA 5508

Daniele Giordano — Wed, 20 Jun 2018 12:25:12 GMT

Hi,

object network x.x.x.14 ---- is the internal ip i guess <= yes

and the message WARNING: Pool () overlap with existing pool is just a warning.

Anyhow you can remove the ip x.x.x.14 from the existing pool and create a new one if necessary.

Re: ASA 5508

Angelos — Tue, 26 Jun 2018 06:05:16 GMT

Thank you for you replies and sorry for them late response .

So here is what i got now

object network xxxxx
nat (outside,DMZ) static 10.x.x.14
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.14
object network xxxxx
nat (outside,DMZ) static 10.x.x.13
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
access-group Out-DMZ in interface outside
access-group DMZ_acl in interface DMZ
access-group DMZ-inside in interface inside

For some reason the x.13 to x.13 Nat is working.

The x.14 to x.14 is not any ideas ?

Am i missing something ?

Re: ASA 5508

Florin Barhala — Tue, 26 Jun 2018 09:18:47 GMT

I think when you use:

object network xxxxx
nat (outside,DMZ) static 10.x.x.14

then
object network xxxxx
nat (outside,DMZ) static 10.x.x.13

this cannot work as you already allocated outside ports to 10.x.x.14, hence no ports available also for 10.x.x.13
Here's what I would do:
- remove
object network xxxxx
nat (outside,DMZ) static 10.x.x.13

- check the output of show run nat | 151.x.x.13
the right output should list only the related config from this
object network xxxxx
nat (DMZ,outside) dynamic 151.x.x.13
If you see more lines, just see what other NAT config is using 151.x.x.13

If all is OK so far, then you should be able to have from DMZ to outside Internet access, as long as you permit this on the ACL DMZ_acl

Re: ASA 5508

Angelos — Wed, 27 Jun 2018 12:20:08 GMT

mm it make's sense but what i realy want is that the 2 internal ip address translated to the 2 public ip address .Each one on its own the .13 to .13 and .14 to .14 .Can it be done ?.

Now it works with the .13 if i reload the Asa is goes ether to 13 or to 14 and i dont want that ,

Thank you for your time.

Re: ASA 5508

Angelos — Thu, 28 Jun 2018 09:06:06 GMT

Guys any ideas?