Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
8
Helpful
5
Replies

ASA 5520 NAT 8.4

quicksilva
Level 1
Level 1

‎02-05-2013 04:23 AM - edited ‎03-11-2019 05:56 PM

Hello All,

Im having an issue setting up Access through our firewall for external usage. Im not sure if its even possible.

So....

We have 1 external IP, say 80.80.80.80.

We have 3 internal Servers (10.0.0.1, 10.0.0.2, 10.0.0.3), 2 running web apps on ports 443 and one on 445.

We have 2 external locations (source IPs) London (50.50.50.50), Reading (60.60.60.60).

I want to be able to match the source address either london and reading and direct to the correct internal server, so 10.0.0.1 is for london and 10.0.0.2 is for reading both using the same IP and ports?

Is this possible, can the NAT rulles match on source IP?

Cheers

Craig


Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2013 04:38 AM

Hi,

Below is some configurations I tested when a similiar question was asked on these forums.

In the below configurations I attempted to test a situation where the where the source address from the public network would define which NAT would be used and therefore to which LAN host the connection woulld be forwarded to. Also the situation was limited to using only the single IP address configured on the ASA "outside/WAN" interface.

To my understanding this solution is hardly ideal when considering the firewall operation. I think the firewall actually warns about the overlaps and actually shows overlapping translations on the firewall.

Still I was able to test this from 2 different external hosts at the same time on my home network and it was working. I havent tested this in active use so I cant say for certain what kind of problems you might run into or if there is perhaps problems with the operation when multiple hosts are connecting and attempting all the different connections the NAT configurations are used for.

So below are the example configurations and later the clarifications on what they are supposed to do. This should be easy to apply to your specific setup

EDIT: The naming and parameters referring to destination and source might be a bit confusing. Naturally you can use the object names that make the most sense to you.

object network SOURCE1

host 1.2.3.4

object network SOURCE2

host 5.6.7.8

object network SERVER1

host 10.10.10.10

object network SERVER2

host 10.10.10.20

object service VNC

service tcp source eq 5900

nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC

nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC

access-list WAN-IN extended permit tcp object SOURCE1 object SERVER1 eq 5900

access-list WAN-IN extended permit tcp object SOURCE2 object SERVER2 eq 5900

access-group WAN-IN in interface WAN

Where

  • SOURCE1 / SOURCE2  = contains the users public source IP address
  • SERVER1 / SERVER2 = contains the servers local IP address to which SOURCE1/SOURCE2 is connecting to
  • VNC = contains the service that is to be forwarded
  • LAN = is my "inside" interface
  • WAN = is my "outside" interface
  • WAN-IN = is my "outside" inbound ACL

The above NAT commands basically state that

  • Translation will happen between LAN and WAN interface
  • The  SERVER1 / SERVER2 will be translated to the WAN interface IP address  ("interface" parameter) when the other end of the connection is SOURCE1 /  SOURCE2 and the service used is TCP/5900 (both mapped and real service  is TCP/5900)

Hopefully the information has been helpfull

- Jouni

quicksilva
Level 1
Level 1
In response to Jouni Forss

‎02-05-2013 06:03 AM

Hi Jouni,

This sounds along the right lines but where are you specifiying the external ip of the asa?

Is this possible to do with more than 1 ip assigned to the ASA, as in the above setup twice? so 4 sources, 2 connecting to 1 external ip and another 2 a dif external ip then forwarding to 4 different servers?

Cheers

Craig


0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to quicksilva

‎02-05-2013 06:20 AM

Hi,

The external IP address is specified by the keyword "interface" in the NAT configurations. In other words it uses the ASA interface IP address. In my above case it would the public IP address of the "WAN" interface.

I can't see any problem using multiple IP addresses. The configuration format of the NAT changes only a bit naturally.

I would see the overlapping of the NAT configurations as the "big question" if this will be a stabile configuration in a production environment.

So to give you an example of using different IP addresses for the NAT configuration, the configuration could look something like this (If I understood correctly that is)

  • 4 Public Source IP addresses
  • 2 Usable local Public IP addresses
  • 4 Local Server IP addresses
  • Each Source IP address is to connecto a corresponding Local Server

object network SOURCE1

host 1.2.3.4

object network SOURCE2

host 5.6.7.8

object network SOURCE3

host 9.10.11.12

object network SOURCE4

host 13.14.15.16

object network SERVER1

host 10.10.10.10

object network SERVER2

host 10.10.10.20

object network SERVER3

host 10.10.10.30

object network SERVER4

host 10.10.10.40

object service VNC

service tcp source eq 5900

object network PUBLIC-IP-2

host x.x.x.x

nat (LAN,WAN) source static SERVER1 interface destination static SOURCE1 SOURCE1 service VNC VNC

nat (LAN,WAN) source static SERVER2 interface destination static SOURCE2 SOURCE2 service VNC VNC

nat (LAN,WAN) source static SERVER3 PUBLIC-IP-2 destination static SOURCE3 SOURCE3 service VNC VNC

nat (LAN,WAN) source static SERVER4 PUBLIC-IP-2 destination static SOURCE4 SOURCE4 service VNC VNC

And the corresponding ACL statemens to open the traffic.

Where

  • x.x.x.x = is the Public IP address to be used in the NAT configurations

I got to say that I havent labbed this exact situation (I might be able to at some point) but I'd expect it to work just like the previous setup I have tested briefly. But again I have to stress that I'm not sure how this performs in production environment in constant use.

Hopefully the above information has been helpfull. Please rate if helpfull and ask more if needed ofcourse

If you do get to test this and see that its working, please mark the question as answered.

- Jouni

quicksilva
Level 1
Level 1
In response to Jouni Forss

‎02-05-2013 06:33 AM

Cheers Jouni,

What do you think the issues might be with the overlapped NAT, if it matches on source IP then surely they are different NAT's?

Craig

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to quicksilva

‎02-05-2013 06:38 AM

Hi,

When I originally used my home "lab" to test this setup out I only did some limited checking of how the ASA views these translations on the xlate table.

When I briefly tested the setup with VNC connections from 2 different external hosts at the same time I got the feeling that the connections were a bit lagging and unresponsive at times. Thats why I'm kinda hesitant in recommending this, atleast until I have tested it more.

I do see your logic on the source IP address making sure that it truly isnt overlapping with something and that would be how I would personally expect it to work too. But I'm too paranoid to say anything for sure until I have tested it

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card