11-22-2012 10:53 AM - edited 03-11-2019 05:26 PM
ASA is running 8.4.
Internal interface: 172.16.1.1
External interface: 172.16.2.1
Routing to 192.168.0.0 via internal host.
I've got some static NATs, e.g:
object network obj-192.168.0.1
nat (inside,outside) static obj-172.16.2.1
object network obj-192.168.0.3
nat (inside,outside) static obj-172.16.2.2
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
But it's source remains unchanged.
What am I missing?
Thanks,
Chris
Solved! Go to Solution.
11-25-2012 01:24 PM
Apparently the object NAT is executed before the obj-172.16.2.254 which is a twice NAT. You can check the order in the NAT rule table by "show run nat" or "show xlate" command. (The documentation says usually twice NAT goes in first section so it's a bit strange.) However, fixing the order won't help you either as object NAT is not suitable for changing both the source and destination address in a packet. You will need to remove object NATs and formulate twice NAT rules containing the desired behaviour. Something like this:
nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1 dest static obj-172.16.1.100 obj-172.16.2.254
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2 dest static obj-172.16.1.100 obj-172.16.2.254
nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2
11-22-2012 11:34 AM
Hello,
The NAT looks good, Can you run a packet tracer?
packet in outside tcp 172.16.2.254 1025 192.168.0.5 80
You can also try it backwards:
nat (inside,outside) 1 source static obj-172.16.1.100 obj-172.16.2.254
Regards,
Felipe.
11-22-2012 12:38 PM
Thanks for the reply.
Packet tracer output below.
The source should be NAT'd from 172.16.2.254 to 172.16.1.100, according to my NAT rule:
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
To see the source address I'm running tcpdump on the destination host. I'm also debugging packets on an intermediate router. Both of these show the source isn't been NAT'd:
*Mar 1 02:00:06.151: IP: tableid=0, s=172.16.2.254 (FastEthernet0/1), d=192.168.0.3 (FastEthernet0/0), routed via FIB
*Mar 1 02:00:06.155: IP: s=172.16.2.254 (FastEthernet0/1), d=192.168.0.3 (FastEthernet0/0), g=192.168.6.1, len 104, forward
*Mar 1 02:00:06.155: TCP src=30244, dst=22, seq=3598358716, ack=3412918456, win=2777 ACK
## Packet Tracer:
ASA1#packet-tracer input outside tcp 172.16.2.254 1024 172.16.2.2 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.2.2/22 to 192.168.0.3/22
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq ssh
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 127, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
11-25-2012 01:24 PM
Apparently the object NAT is executed before the obj-172.16.2.254 which is a twice NAT. You can check the order in the NAT rule table by "show run nat" or "show xlate" command. (The documentation says usually twice NAT goes in first section so it's a bit strange.) However, fixing the order won't help you either as object NAT is not suitable for changing both the source and destination address in a packet. You will need to remove object NATs and formulate twice NAT rules containing the desired behaviour. Something like this:
nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1 dest static obj-172.16.1.100 obj-172.16.2.254
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2 dest static obj-172.16.1.100 obj-172.16.2.254
nat (inside,outside) source static obj-192.168.0.1 obj-172.16.2.1
nat (inside,outside) source static obj-192.168.0.3 obj-172.16.2.2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide