cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2348
Views
0
Helpful
2
Replies
Highlighted
Beginner

Access another host on same subnet through Nat'd IP address

I appreciate any help in advance, I have a requirement to monitor a host's external IP address, the monitoring host (host A) initiating the request is located in the same DMZ subnet as the destination host (host B) I want to monitor, both are NAT'd to external IP addresses, I was expecting to see a request going out from host A, getting NAT'd to its respective external IP address and then coming back in through the external interface to reach the Nat'd IP address of host B. is this how NAT will be handled by the ASA or am I missing something here? thanks again.

2 REPLIES 2
Cisco Employee

Access another host on same subnet through Nat'd IP address

Borman,

Its more complicated than that, consider the following scenario:

                            20.20.20.0/24

               ASA------------------------------Internet

                  | (DMZ)

             Switch

     Host A          Host B

   10.1.1.10      10.1.1.100

                      20.20.20.20 (Nat outside address)

Basically you want to monitor your host B using its public IP address, normally your NAT configuration (in case of version 8.2 and prior) would be something like this:

nat (DMZ,outside) 20.20.20.20 10.1.1.100

nat (DMZ) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

When going from Host A to host B, two translations should occur, first is the Unstranslate from 20.20.20.20 to 10.1.1.100 (By internal process of the ASA), then once it is unstranslated, the route-lookup comes in game. Firewall notices that is on the same interface as the source of the packet so we reach our first impass. The ASA does not support same security traffic by default. So we overcome this issue with the following command:

same-security-traffic permit intra-interface

Now that is done, so we move to the next packet process, the ASA tries to check if there is any NAT translation for a packet coming from the DMZ and going to the same DMZ. As you can see there is a "nat (DMZ) 1 0.0.0.0 0.0.0.0", that tells the firewall that everything coming from the DMZ should be translated, we hit that NAT and since the outgoing interface is the same as the source interface (DMZ) there is no global command, hence you will see an error that states, No translation group found. Here is how we overcome that issue

Global (DMZ) 1 interface

This will translate requests from the DMZ interface going to that same interface to the DMZ IP address, on the server 10.1.1.100, the connection will be seeing as it came from the firewall, the packets will be sent to the firewall again, hence avoiding asymmetric routing.

If running version 8.3 or higher, the concept is the same, but the commands change a bit.

8.3

same-security-traffic permit intra-interface

object network Server_Public

host 20.20.20.20

object network Server_Private

host 10.1.1.100

object network Any

subnet 0.0.0.0 0.0.0.0

Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private

So bottom line, configuration needed on 8.2

global (outside) 1 interface

same-security-traffic permit intra-interface

Configuration for 8.3

same-security-traffic permit intra-interface

object network Server_Public

host 20.20.20.20

object network Server_Private

host 10.1.1.100

object network Any

subnet 0.0.0.0 0.0.0.0

Nat (DMZ,DMZ) source dynamic Any interface destination static Server_Public Server_Private

Hope this helps a bit.

Mike

Mike
Beginner

Access another host on same subnet through Nat'd IP address

Thanks for the detailed explanation Maykol, I'll try this, thanks.