ASA 5510 Network address translation through an internal network.

michaelzahn · ‎01-20-2013

Is it possible to perform static Nat's through an internal network?

Here's my situation I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).

Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.

Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.

Any help on this matter is greatly appreciated. Thank you.

Karsten Iwen · ‎01-20-2013

That can be easioy done, All you need is:

1) your static translation
2) an ACE allowing the incoming traffic
3) a route from the firewall to the switch for the 192.168.2.0 network.

For more help on configuring that, please share the version of your ASA or even better your actual config.

Sent from Cisco Technical Support iPad App

Michal Garcarz · ‎01-20-2013

Hi Michael,

it should work.

Paste results of:

sh int ip brief

sh nameif

sh run nat

sh run static

sh run global

and also packet tracer result.

---

Michal

rizwanr74 · ‎01-20-2013

HI Michael,

Yes it is possible.

Lets say you have an ACL configured on your outside interface on your ASA, with a name: outside-allow-in

access-list outside-allow-in extended permit ip any host 68.68.68.222

Now this ACL is applied on the outside interface on your ASA as shown below.

access-group outside-allow-in in interface outside

Now create a static-nat as shown below.

static (dmz,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255

at last please make sure to add a static-route to push traffic "192.168.2.0 netmask 255.255.255.0" to peering address i.e. 192.168.1.1 as shown below.

made correction.

route inside 192.168.2.0 255.255.255.0 192.168.1.1

Hope that helps.

Thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

michaelzahn · ‎01-20-2013

Wouldn't the static nat read static(inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255 ?

Karsten Iwen · ‎01-20-2013

In your case the static is (inside, outside). But for a "real" DMZ you should consider to terminate the VLan on a subinterface on the ASA to have more control over the network that is directly reached through the internet.

Sent from Cisco Technical Support iPad App

rizwanr74 · ‎01-20-2013

"Wouldn't the static nat read static(inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255 ?"

Yes, that is correct "static(inside,outside)" if you want to traverse traffic to inside.

thanks

Rizwan Rafeek

michaelzahn · ‎01-20-2013

The following was applied

static (inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside DMZ-network(which is 192.168.2.0 255.255.255.0 192.168.1.1

when I try to access the server 192.168..2.60 from the outside I do not get a response. I ran packet Tracer on the firewall when I apply interface outside with source IP address 68.68.68.2222 destination IP address 192.168.2.60

Config

static (inside,outside) 68.68.68.222 192.168.2.60 netmask 255.255.255.255

match ip inside host 192.168.2.60 outside any

static translation to 68.68.68.222

translate_hits = 91, untranslated_hits = 12

michaelzahn · ‎01-20-2013

more information as requested

csc# sh int ip br

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 192.168.1.2 YES CONFIG up up

Ethernet0/1 172.16.2.3 YES CONFIG up up

Ethernet0/2 192.168.12.1 YES CONFIG up up

Ethernet0/3 68.68.68.1 YES CONFIG up up

Internal-Control0/0 127.0.1.1 YES unset up up

Internal-Data0/0 unassigned YES unset up up

Management0/0 192.168.19.1 YES manual administratively down down

csc-ssm# sh nameif

Interface Name Security

Ethernet0/0 inside 100

Ethernet0/1 %^&*%$ 100

Ethernet0/2 @#$%&*() 30

Ethernet0/3 outside 0

Management0/0 management 100

nat (inside) 0 access-list nat0

nat (inside) 1 serverNET 255.255.255.0

nat (inside) 1 Server 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0

nat (inside) 1 CorpVPN 255.255.255.0

nat (inside) 1 192.168.30.0 255.255.255.0

nat (Eng) 0 access-list ENG_nat0_outbound

nat (Eng) 1 172.16.2.0 255.255.255.0

nat (WiFi-Guest) 1 192.168.12.0 255.255.255.0

global (ENG) 2 172.16.2.10-172.16.2.50 netmask 255.255.255.0

global (outside) 1 interface

rizwanr74 · ‎01-20-2013

Can you post the output form ACL "outside_access_in"

thanks

michaelzahn · ‎01-20-2013

This is the hold ouside_access_in currently actived.

1 True any 68.68.68.1 (interface) icmpicmp/echo

icmp/echo-reply Permit Default

2 True any 68.68.68.1 icmp/time-exceeded Permit Default

3 True any 68.68.68.1 ip Permit Default

4 True any 68.68.68.1 icmp/unreachable Permit Default

6 True any any ip Permit Default

9 True any 68.68.68.222 ip Permit Default

Karsten Iwen · ‎01-20-2013

make sure that you

a) don't have the needed communication in your nat0-ACL
b) have "inspect icmp" in your service policy if you only test with icmp/echo.

Sent from Cisco Technical Support iPad App