Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
5
Replies

NAT Challenges

Steven Williams
Level 4
Level 4

‎02-14-2019 04:27 PM - edited ‎02-21-2020 08:49 AM

I think I need a twice nat but i have never done one and its confusing to me. 

 

My scenario is this:

 

Client A = 10.81.113.10

Server B = 10.0.1.4

 

Site A has Client A

Site B has Server B

 

Client A cannot hit Server B on its IP address (real IP). Server B sits behind an ASA. I have created a one to one nat for Client A to hit 172.16.3.4 rather then 10.0.1.4.

 

object network SERVER_EXTERNAL_NAT_IP
host 172.16.3.4
object network SERVER_INTERNAL_IP
host 10.0.1.4

object network SERVER_INTERNAL_IP
nat (inside,outside) static SERVER_EXTERNAL_NAT_IP

 

So from client A to that server communication works. Now here is the issue. Because client A has an application that is set to talk to 172.16.3.4, when Server B makes a connection to Client A it uses its real IP of 10.0.1.4 and the application doesn't understand that. So how do I make sure when the server communicates out to JUST client A that its IP is source IP is 172.16.3.4?

0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎02-14-2019 04:39 PM

Hi

You can use the following commands:

 

object network SERVER_EXTERNAL_NAT_IP
host 172.16.3.4
object network SERVER_INTERNAL_IP
host 10.0.1.4

object network CLIENTA

 host x.x.x.x

!
nat (inside,outside) source static SERVER_INTERNAL_IP SERVER_EXTERNAL_NAT_IP destination static CLIENTA CLIENTA no-proxy-arp route-lookup

 

Test it and let me know.

Also, if not working, run the following command and pase the output into a text file:

packet-tracer input inside icmp 10.0.1.4 8 0 x.x.x.x —> where x.x.x.x is client A IP

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-15-2019 05:51 AM

ERROR: Option route-lookup is only allowed for static identity case
0 Helpful

Steven Williams
Level 4
Level 4
In response to Francesco Molino

‎02-15-2019 06:17 AM

I think what I am trying to accomplish is impossible. 

 

Lets say I have Server B at site B, one single network card, 10.0.1.2. Local things connect to 10.0.1.2, but when I create the NAT for Site A to connect to it on 172.16.3.4, the local communication stops working? is it because of the NAT on the firewall?

0 Helpful

venkat_n7
Level 1
Level 1
In response to Steven Williams

‎02-15-2019 07:33 AM - edited ‎02-15-2019 07:34 AM

if it only has one nic card, Yes. it can either support one rule(without NAT or With NAT). to accomplish that, i would do it with two nic cards, one for local network and other for external and add routing rules on the server.

Please rate comments and support
with regards,
Venkat
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Steven Williams

‎02-15-2019 08:20 AM

Yeah sorry for the route-lookup my bad.

However, on which asa you're setting this nat on site B or site A?

Can you share a quick sketch on how everything is setup? What you want to do is possible, now it depends on how and this will depend on your design?
I just assumed a design based on description you gave but maybe I assumed wrong. That's why I'm asking a quick design

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card