topic Re: NAT in ASA in Network Security

NAT in ASA

Harmeet Singh — Fri, 21 Feb 2020 15:41:30 GMT

I have two zones in firewall Zone-1 and Zone-2.

One Server is connected in Zone-1 192.168.1.15. Two desktop are connected in Zone-2 with different subnet/vlan (Desktop-1 10.14.3.150/24 and Desktop-2 20.14.3.150). Both Desktop are able to reach the Server's original IP.

Is it possible to access Server's both IPs (Original and Natted) from both Desktops at the same time.

Currently there is no NAT configuration in the ASA 9.6

If doing static nat, only one IP is reachable at that time.

Re: NAT in ASA

Marius Gunnerud — Tue, 01 May 2018 09:06:54 GMT

It is possible to do this but it will require NAT in both directions and can become quite complicated / difficult to manage and troubleshoot. I would not recommend doing this unless you have a very good reason for doing so.

You would need to set up two NAT for each PC. One NAT going from the server to the PCs for the NATed IP and one from the PC to the real IP. Using PC 1 as an example, and assuming the interface names on the ASA are zone1 and zone2.

object network PC1_REAL_IP

host 10.14.3.150

object network PC1_NAT_IP

host 11.14.3.15

object network SERVER_REAL_IP

host 192.168.1.15

objecet network SERVER_NAT_IP

host 172.16.1.15

nat (zone1,zone2) source static SERVER_REAL_IP SERVER_NAT_IP destination static PC1_REAL_IP PC1_REAL_IP

nat (zone1,zone2) source static SERVER_REAL_IP SERVER_REAL_IP destination static PC1_NAT_IP PC1_REAL_IP

In this scenario the PC can access the server using both NAT IP and real IP, When using the NAT IP of the server the server sees the PC with the PC's real IP, but when using the server's real IP the server sees the PC with the PCs NATed IP.

Keep in mind that this example only describes the NAT, access lists will still need to be added to allow the traffic.

Re: NAT in ASA

Harmeet Singh — Tue, 01 May 2018 10:32:13 GMT

Hi Marius,

Actually I am upgrading ASA from 8.2 to 8.4.

In 8.2 there are 2 NAT entries:

static (Zone-1,Zone-2) 192.168.1.1 192.168.1.1 netmask 255.255.255.0

static (Zone-1,Zone-2) 172.16.1.15 192.168.1.15 netmask 255.255.255.255

Is it possible to achieve same thing with these two entries.

Re: NAT in ASA

Marius Gunnerud — Tue, 01 May 2018 12:39:42 GMT

They are actually not even require in 8.2 unless you have "nat control" enabled, which I am assuming you have since they are there, or there are other dynamic NATs that you are trying to override. A better solution for 8.2 would be do use NAT exempt statement, but that is for another discussion.

nat control is removed from the configuration as of 8.3 and later. These commands just nat the IP address to itself. Is it possible yes to do in 9.x, ofcourse, but you should have a good reason for doing so.

Re: NAT in ASA

Harmeet Singh — Fri, 04 May 2018 11:03:43 GMT

Hi Marius,

8.2 ASA has an entry:

static (MPLS,SERVER) 10.31.2.0 10.31.2.0 netmask 255.255.255.224

static (DMZ,PRODUCTION) 192.168.13.32 192.168.13.32 netmask 255.255.255.224

If convert same entry in 8.4 it would be:

object network 10.31.2.0
subnet 10.31.2.0 255.255.255.224
nat (MPLS,SERVER) static 10.31.2.0

object network 192.168.13.32

subnet 192.168.13.32 255.255.255.224
nat (DMZ,PRODUCTION) static 192.168.13.32

I am confuse here because in first statement a subnet is natted with network address (10.31.2.0) and in second statement a subnet is natted with single IP (192.168.13.32).

Are above nat statements correct? What will happen during the communication in both statements..

I am trying to override some other dynamic entry hare during migration form 8.2 to 8.4.

Re: NAT in ASA

Marius Gunnerud — Fri, 04 May 2018 12:50:07 GMT

yes, those commands will give the same result as the commands from 8.2 version.