Re: Nat-translation from Outside to Inside on ASA?

CiscoPurpleBelt · ‎06-19-2019

If I have the below, hosts trying to reach this subnet from Outside are automatically untranslated correct?:
object network Natted_Hosts
subnet 200.10.10.0 255.255.255.0
nat (any,outside) dynamic interface

GRANT3779 · ‎06-19-2019

Hi There,
The NAT you have configured above will PAT 200.10.10.0 /24 to your Outside Interface IP for traffic leaving Outside interface.

Return traffic flows would be "unpatted" and allowed. No one from the Outside would be able to initiate a connection to the 200.10.10.0/24 based on the provided NAT alone.

CiscoPurpleBelt · ‎06-19-2019

Yes meaning I would just put a statement on OUTSIDE ACL allowing the subnets I want allowed to the REAL 200.10.10.0 IP correct?

GRANT3779 · ‎06-19-2019

Hi,

For that NAT (Dynamic) this is unidirectional. If you wanted hosts accessible to the Outside you would need to setup a static NAT which is bidirectional. You would also as you say need relevant ACL entries allowing traffic.

I'm assuming you don't want a whole /24 accessible to the Outside? If you only have 1 public IP available, e.g your Outside interface then you could setup port forwarding for various hosts on your Inside network.

CiscoPurpleBelt · ‎06-19-2019

yes I need the whole subnet accessible from certain subnets on the Outside. SO change the "dynamic" to "Static" in my statement?

CiscoPurpleBelt · ‎06-19-2019

I am also getting "Assymetric NAT rules matched for forward and reverse flows" in the logs.

GRANT3779 · ‎06-19-2019

Wasn't aware there were other NATs etc..

Might be best posting a santised config and what it is you're trying to achieve and I'm sure we can provide some advice.

Sheraz.Salim · ‎06-19-2019

kindly please if possible to upload the config in order to help you.

please do not forget to rate.

CiscoPurpleBelt · ‎06-23-2019

Hi my friend actually a no NAT rule for the subnets had to be configured.

Sheraz.Salim · ‎06-23-2019

you might have many nat rules in place if we suggest you one it could break the other functional nat. from above post i see you want to allow a whole subnet to be access able from outside. curious if you have any spare public ip addresses. as landing/coming from outside to mapping to (if you have a single ip address) your interested subnet is not a good practice.

however, you can change the ip addresses if you thing they are sensitive. remember we are here to help. and give you a good advise to make things works where you get stuck :)

as you have a dynamic rule in your nat. you need to change this to static. as mentioned earlier by GRANT

I wont recommand this to you but unless you do not have any public ip addresses. but here is the config like are

!

Object network BlackBelt

subnet 192.168.100.0 255.255.255.0

!

nat (inside,outside) 1 source static BlackBelt interface

!

access-list outside_in exten permit tcp any subnet 192.168.100.0 255.255.255.0 eq https (or)

access-list outside_in exten permit tcp any object BlackBelt eq https

!

access-group outside_in in interface outside

!

you need to narrow down what protocol in regards to transport layer need to be access from outside to your inside(interested) subnet.

please do not forget to rate.

CiscoPurpleBelt · ‎07-03-2019

Awesome thanks!

Yes there are many NAT rules which was causing the conflict.
No I don't have any other public IPs to use.

I am a bit confused about this statement "as landing/coming from outside to mapping to (if you have a single ip address) your interested subnet is not a good practice." You meaning coming to the real IP addresses/subnet of internal hosts?