topic Re: ASA route-map with nat issue in Network Security

ASA route-map with nat issue

Mohammed Al-odhari — Fri, 21 Feb 2020 15:23:29 GMT

Hi all,

am having 2 issues as below:

am having asa 5508-X ver 9.8, some of the Lan users have to reach internet via outside (OK) interface and some via dmz2(not OK).

Default route is via outside port.

Lan users that go via outside port are determind object-group network LAN-USERS.

My issue is with the users that determined with satellite access list as attached in the configuration.

Their GW is determined with route-map in addition to the below nat

nat (inside,dmz2) dynamic interface

also i used nat (inside,dmz2) soure static SAT-USERS interface

they cannot reach internet?????????

my second issue is:

dspite i configure arp for LAN-USERS as shown in the config, it has no infuence.

I want only the users configured in the object-group network LAN-USERS list in addition to their mac address to access internet via outside port.

hope the above issues are clear and you can help

regards,

Re: ASA route-map with nat issue

Ajay Saini — Thu, 22 Feb 2018 10:19:43 GMT

Hello,

A couple of things we need to fix to start:

1. we need a less preferred route for the dmz2 interface so that traffic can leave the dmz2 interface upon the PBR lookup.

route dmz2 0.0.0.0 0.0.0.0 x.x.x.x 254

2. The static NAT statement below is incorrect because you are trying to statically map multiple source to a specific destination ip address. Either make it dynamic instead of static or define as many destination ip addresses as the source

nat (inside,outside) source static LAN-USERS obj-192.168.0.3

3. I don't think you would require static arp entries, you can remove as per my opinion.

Once the above changes are done, try to run a packet-tracer or take syslogs so that we can see where this is failing.

HTH

Re: ASA route-map with nat issue

Mohammed Al-odhari — Thu, 22 Feb 2018 20:09:20 GMT

Thanks alot Ajay for replaying,

as per the config, Two interfaces has to reach internet, outside and dmz2.

For dmz2,so i want only to add less preferred route as you said in addition to this nat ( nat (inside,dmz2) dynamic interface or nat (inside,dmz2) soure static SAT-USERS interface ) ????

2- for outside, change nat to--> nat (inside,outside) dynamic interface as you suggest or define many destination ip addresses you mean under the obj-192.168.0.3???

3- i dont get your below point three.

i have many hosts defined under object-group network LAN-USERS, about 100 users, to reach the normal default route, is it possible in asa that for this list- mac address must be checked, i mean ,hosts that defined under the LAN-USERS list is to be blocked from internet until their mac addresses is checked?????

thanks for cooperation and will wait for your answers

regards,