Solved: ASA 9.1 Nat internal Subnet to another External IP

dney · ‎11-20-2013

I'm very new to the 9.1 code and struggling with the new NAT translation. I'll try to explain the best I can what I'm wanting to do. For testing I can do everything via CLI or ASDM but in the end I will have to convert any command over to Cisco Security Manager because that is what we use to manage all our firewalls.

Currently we have a public IP address lets say x.x.x.5. I have another public IP x.x.x.6 that I want all my internal workstation to use for going out to the Internet. Basically when I go to whatsmyip from a workstation I want it to show x.x.x.6.

Normally in 8.2 code I would use a pool on the public interface with x.x.x.6 and assign in the internal subnet's to it. However in 9.1 code it not as simple at least from what I'm seeing.

What I would like to do is so something like this:

Private Interface subnet 172.28.0.0 (LAN1) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)

Private Interface subnet 172.27.0.0 (LAN2) to access the Internet via Public interface nat x.x.x.6 (Public_Nat)

Here is my current nat:

nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

Here is the packet-trace and as you can see in Phase 3 Nat bypasses the my rule and uses per-session.

firewall01# packet-tracer input private tcp 172.28.2.1 1024 8.8.8.8 2334

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 public

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_private in interface private
access-list CSM_FW_ACL_private extended permit ip object Server_Vlan any4
access-list CSM_FW_ACL_private remark Allow All Traffic on the Internet Vlan outbound
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPSTraffic
match any
policy-map CSM_PM_1
class IPSTraffic
ips inline fail-open
service-policy CSM_PM_1 interface public
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 244, packet dispatched to next module

Result:
input-interface: private
input-status: up
input-line-status: up
output-interface: public
output-status: up
output-line-status: up
Action: allow

Any help would be appreciated!

jumora · ‎11-20-2013

Here is the correct configuration:

enable

config t

no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

object network Public_Nat_6

host X.X.X.6

nat (private,public) after-auto source dynamic any Public_Nat_6

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-20-2013

Here is the correct configuration:

enable

config t

no nat (private,public) source static LAN1 LAN1 destination static Public_Nat Public_Nat

object network Public_Nat_6

host X.X.X.6

nat (private,public) after-auto source dynamic any Public_Nat_6

Value our effort and rate the assistance!

dney · ‎11-20-2013

Jumora,

Thank you for the quick reply, I have tried your config and it looks like you have put me on the right track. Really appreciate the help!

jumora · ‎11-20-2013

I am sorry but I am not CSM knowledgeable but if you can do reverse engineering the configuration should be something similar to what you see on the ASDM. Regarding the object I would suggest to keep the separate.

Value our effort and rate the assistance!