Solved: ASA 8.4 NAT on outside and inside for certain external hosts

c.andrew · ‎11-22-2012

ASA is running 8.4.

Internal interface: 172.16.1.1

External interface: 172.16.2.1

Routing to 192.168.0.0 via internal host.

I've got some static NATs, e.g:

object network obj-192.168.0.1

nat (inside,outside) static obj-172.16.2.1

object network obj-192.168.0.3

nat (inside,outside) static obj-172.16.2.2

I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.

nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100

But it's source remains unchanged.

What am I missing?

Thanks,

Chris

Peter Koltl · ‎11-25-2012

Apparently the object NAT is executed before the obj-172.16.2.254 which is a twice NAT. You can check the order in the NAT rule table by "show run nat" or "show xlate" command. (The documentation says usually twice NAT goes in first section so it's a bit strange.) However, fixing the order won't help you either as object NAT is not suitable for changing both the source and destination address in a packet. You will need to remove object NATs and formulate twice NAT rules containing the desired behaviour. Something like this:

nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1 dest static obj-172.16.1.100 obj-172.16.2.254

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2 dest static obj-172.16.1.100 obj-172.16.2.254

nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2

View solution in original post

lcambron · ‎11-22-2012

Hello,

The NAT looks good, Can you run a packet tracer?

packet in outside tcp 172.16.2.254 1025 192.168.0.5 80

You can also try it backwards:

nat (inside,outside) 1 source static obj-172.16.1.100 obj-172.16.2.254

Regards,

Felipe.

c.andrew · ‎11-22-2012

Thanks for the reply.

Packet tracer output below.

The source should be NAT'd from 172.16.2.254 to 172.16.1.100, according to my NAT rule:

nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100

To see the source address I'm running tcpdump on the destination host. I'm also debugging packets on an intermediate router. Both of these show the source isn't been NAT'd:

*Mar 1 02:00:06.151: IP: tableid=0, s=172.16.2.254 (FastEthernet0/1), d=192.168.0.3 (FastEthernet0/0), routed via FIB

*Mar 1 02:00:06.155: IP: s=172.16.2.254 (FastEthernet0/1), d=192.168.0.3 (FastEthernet0/0), g=192.168.6.1, len 104, forward

*Mar 1 02:00:06.155: TCP src=30244, dst=22, seq=3598358716, ack=3412918456, win=2777 ACK

## Packet Tracer:

ASA1#packet-tracer input outside tcp 172.16.2.254 1024 172.16.2.2 22

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2

Additional Information:

NAT divert to egress interface inside

Untranslate 172.16.2.2/22 to 192.168.0.3/22

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any eq ssh

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 127, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Peter Koltl · ‎11-25-2012

Apparently the object NAT is executed before the obj-172.16.2.254 which is a twice NAT. You can check the order in the NAT rule table by "show run nat" or "show xlate" command. (The documentation says usually twice NAT goes in first section so it's a bit strange.) However, fixing the order won't help you either as object NAT is not suitable for changing both the source and destination address in a packet. You will need to remove object NATs and formulate twice NAT rules containing the desired behaviour. Something like this:

nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1 dest static obj-172.16.1.100 obj-172.16.2.254

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2 dest static obj-172.16.1.100 obj-172.16.2.254

nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1

nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2