cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
0
Helpful
5
Replies

NAT Question

Legusol
Level 1
Level 1

Our ISP has issued us two subnets: one is a /30 subnet and the other is a /28. For the sake of this discussion (with false IPs) the /30 is 46.181.101.212/30 with the provider assigned .213 and our WAN on .214. The /28 is 46.181.101.112/28. They are routing the 46.181.101.112/28 to our WAN interface. We have NAT for all users to come from our WAN (48.181.101.214) with a default route pointing to 48.181.101.213.

 

We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with. 

 

Can anyone give us some insight? Thanks!

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

 

Assuming this is 8.3 or later code it is probably to do with the ordering of your NAT statements. 

 

On 8.3 or later NAT is split in 3 sections and it goes through the sections in order so what is probably happening is that the traffic outbound is being caught by the wrong NAT statement and the solution may be as simple as reordering your statements. 

 

Have a read of this document which explains the above in more detail and gives some recommendations as to how to configure your NAT statements - 

 

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

Jon

View solution in original post

We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.

 

object network REAL

 host 10.0.0.25

!

object network MAPPED

 host 46.181.101.214

!

nat (inside,outside) source static REAL MAPPED

!

access-list OUT-IN exten permit tcp any object REAL eq 443

access-group OUT-IN in interface outside

please do not forget to rate.

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

 

Assuming this is 8.3 or later code it is probably to do with the ordering of your NAT statements. 

 

On 8.3 or later NAT is split in 3 sections and it goes through the sections in order so what is probably happening is that the traffic outbound is being caught by the wrong NAT statement and the solution may be as simple as reordering your statements. 

 

Have a read of this document which explains the above in more detail and gives some recommendations as to how to configure your NAT statements - 

 

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

Jon

Hi Jon, I thought about that previously and created the NAT as a NAT before Network Object and moved it all the way to the top of the list. 

 

screenshot.331.pngscreenshot.332.png

 

When I run a packettracer test as well is shows that it should be picking up this NAT.

screenshot.333.png

We have a server on our internal network using 10.0.0.25. In the case of this one particular server however, we need the external servers to see our traffic residing from 46.181.101.118 (the /28 subnet). So a NAT for inside address 10.0.0.25 to 46.181.101.118. We cannot seem to get this to work. No matter what we add for the NAT the traffic is still seen as coming from 46.181.101.214. We are able to connect into this server from the outside on 46.181.101.118 so it is only how our traffic is seen externally that we are having an issue with.

 

object network REAL

 host 10.0.0.25

!

object network MAPPED

 host 46.181.101.214

!

nat (inside,outside) source static REAL MAPPED

!

access-list OUT-IN exten permit tcp any object REAL eq 443

access-group OUT-IN in interface outside

please do not forget to rate.

Legusol
Level 1
Level 1

This was actually a "stupid" mistake on my part. We are in the process of changing to a new server for this and when I was setting up the NAT I was using the new server inside IP address but I still had the old server relaying the traffic. So in essence, I have the NAT set up correctly, I was just using the wrong IP address for the REAL server. 

 

I just needed an overnight break to realize that!!!

 

Thank you both. I accept both as a resolution since NAT was the issue the the commands provide by Sheraz were correct. Thank you both!

@LegusolI did noticed that wrong ip address in your packet tracer and i was curious why you doing this. also i was tired too and this also get over looked from me other wise i have mentioned to you.

anyway good to hear all sorted.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: