Re: Allowing Natted IPs through ASA?

CiscoBrownBelt · ‎05-31-2019

You must still use the natted IP not the real source IP in the access-rules correct?

Rob Ingram · ‎05-31-2019

Hi,
No, you always use the real IP address in the ACL not the natted ip address.

I believe older version of ASA, v8.2 (from memory) however was different in regard to NAT. I assume you have a relatively new 9.x version of ASA? In which case use the real IP address.

HTH

CiscoBrownBelt · ‎05-31-2019

Just so I can clarify, so if the IPs are being Natted prior to the FW you need to enter the original IP?

Rob Ingram · ‎05-31-2019

Oh ok sorry, you mean the firewall itself is not doing the nat translation? If this is inbound traffic, and the ASA is not doing any NAT translation/un-translation, then the ASA would only know the public IP address - therefore the ACL rule should reference the only IP address it recieved traffic from (the public IP address).

CiscoBrownBelt · ‎06-03-2019

Yes sorry I should have clarified but awesome thanks!

Just created another post, but what if I want to NAT an internal IP address to another IP address that should be allowed to transverse an IPSEC tunnel on an ASA? Example, I have 160.1.1.10 address that I want to be Natted to 170.1.1.10 which is an source IP allowed to reach 200.1.1.10 destination IP of the IPSEC tunnel?

In addition to my NAT statement which is:

"Object-Nat" natting static 160.1.1.10 to 170.1.1.10 and choosing Inside interface as source interface (160.1.1.10 host is in the Inside interface) and Outside interface (IPSEC tunnel starts/exits Outside interface on both Local and Remote Tunnel/ASA devices,

Do I need to create another ACL rule which would be applied to the Crypto Map ACL or no since the Crypto Map ACL is already defining/allowing source address 170.1.1.10 to reach remote destination IP 200.1.1.10?