cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1404
Views
0
Helpful
3
Replies

ASA: NAT from an external host to an intenel server for all traffic

rherud
Level 1
Level 1

Hi guys,

today I am faced with a NAT issue and want to ask you for your valued advice.

An external host (and only this host) should access the outside interface of the ASA (OS rel. 8.4(7)30) and this should be translated to an internal server for ALL kind of traffic. (I test with HTTP)

NAT externer Host auf intenen Server.JPG

This translation should only be able for the external host IP because other hosts connect to the outside interface of the ASA too for AnyConnect etc. and this should not be affected!

I entered an ACL with the real address of the internal server as the destination and I tried different NAT-commands but the access failed every time.

The relevant code:

interface Ethernet0/0
 nameif if0
 security-level 0
 ip address 217.x.y.z 255.255.255.248

interface Ethernet0/1
 nameif if1
 security-level 100
 ip address 10.1.1.1 255.254.0.0


object network BABV
  host 141.a.b.c

object network BABV-Server
  host 10.1.6.121


access-list if0_access_in extended permit ip object-group BABV object BABV-Server

nat (if1,if0) source static BABV-Server BABV

The NAT-command ist most likeky wrong but I tried a lot of other variants and all failed.

Let's asume that no other NAT-command is configured on the ASA.

Can someone tell me the correct NAT-command for this situation or what's to do to get this working?

Thanks a lot for all your hints!!!

 



Bye

Rico

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

You cannot use the ASA's outside interface for 1-1 NAT if you also want to use AnyConnecton the ASA. My suggestion is to use another IP address in the outside IP space for the NAT. Or you can reserve the ASA IP address for just certain ports instead of all ports. 

 

Hi Rahul,

 

thanks for your hint!

 

Are you sure that a 1:1 NAT with the outside interface is not possible if the ASA can recognize the source IP address and just NAT if it is a certain one? The host with this source IP do not use AnyConnect. Theoretical this should be possible. Otherwise it is a limitation of the ASA(?)

Thanks!


Bye
Rico

Hi,

It seems that @Rahul Govindan is correct because ASA will not able the understand that is this packet for the ASA self or need to forward a packet with 1:1 NAT. As technical words, NAT will apply to the traffic and forwarded it to the local LAN. It will not work. 

If you use some port forwarding then it will work.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: