Allowing NAT/PAT from router through ASA

derrmart · ‎03-18-2013

Hi everyone,

I have a question.

I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:

If I wanted this:

192.168.2.30:1234 to publicIP:1234

192.168.2.31:1234 to publicIP:1235

192.168.2.32:1234 to publicIP:1236

Any thoughts?

eddie.harmoush · ‎03-18-2013

Its impossible to NAT multiple IP addresses to ONE IP address and keep the source port consistent. The Firewall/Router uses the source port to determine what server should get the return traffic.

So other than the 192.168.2.30:1234 --> publicIP:1234, the rest is pretty easy to do with a simply dynamic NAT:

nat (inside) 55 192.168.2.0 255.255.255.0

global (outside) 55

The "55" above just tie the "nat" command to the "global" command, feel free to use any you wish. Keep in mind, that this is only one directional. The hosts on the outside wouldn't be able to use the to access the servers individually.

Afterthought: I just re-read your post, and I may have misunderstood. Are you alraedy doing the NAT on the Router and just wish to pass the traffic through on the ASA? If so, NAT Exemption or Identity NAT is what you need -- or just disable nat-control.

derrmart · ‎03-19-2013

Correct I am doing NAT currently on the 7100. I am trying to just pass the NAT translations though the ASA. Our situations is we have a small data center that we only have a few clients in at the moment. The ASA is our edge device, and is doing the routing for the data center currently. We have NAT translations on the ASA for other things but need these certain translations to be able to pass through the ASA no issue. If I understand correctly, disabling nat-control will disable it for everything correct? Is there a way to just allow these translations through?

Thank you for the quick response!

Jouni Forss · ‎03-19-2013

Hi,

Configuration format depends on your firewall software level

If you want to configure the ASA so that certain hosts with the public NAT IP from the router need to simply bypass any NAT on the ASA then you can configure NAT0 / NAT Exemption / Identity NAT as Eddie stated above.

The command "nat-control" is a global setting.

8.2 and older software level configuration format is

access-list INSIDE-NAT0 remark Bypass NAT for Internet host

access-list INSIDE-NAT0 permit ip host any

nat (inside) 0 access-list INSIDE-NAT0

8.3 and newer software configuration format is

object-group network NAT0-SOURCE

network-object host

nat (inside,outside) source static NAT0-SOURCE NAT0-SOURCE

- Jouni

derrmart · ‎03-19-2013

Jouni,

Thank you for the response.

I will give that a try and see if it works!

For the post 8.3 commands, the nat is in the global config area correct? Or is it under that object?

Thank you,

Derrick

Jouni Forss · ‎03-19-2013

The 8.3+ configuration that I made in the previous reply is a Section 1 Twice NAT / Manual NAT type configuration.

So its not configured under any "object" but rather uses "object"/"object-group" as its parameters.

One of the reasons for this configuration format is also the fact that this will override any other NAT configurations from matching to this traffic.

Ofcourse the complete picture depends on your current NAT configuration on the ASA.

Also unless you have already done so, confirm that these public NAT IP addresses have routing configured on the upstream ISP router. The ISP has to have a route for these public IP addresses towards the ASA.

- Jouni

derrmart · ‎03-19-2013

Alrighty thank you very much Jouni. I will check with all of this and see happens.

Thank you again,

Derrick