Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
6
Replies

ASA 5525X NATTING

Go to solution
Mohammed Shoukat Ali
Level 1
Level 1

‎04-09-2016 08:21 AM - edited ‎03-12-2019 12:36 AM

Dear Experts,

I want to establish a connection from remote site and right now they don't have firewall.

we have to allow the traffic from our firewall. below please find the natting configuration.  Also, I have attached the network diagram for your understanding.

object network SITEB-SOURCEIP
host 172.1.1.3
object network SITEB-SOURCEIP-INT
host 10.2.6.8
object network SERVER
host 10.3.1.8
object network SITEB-EXT
host 10.6.5.10

access-list SITEB-ACCESS-OUT-IN extended permit ip object SITEB-SOURCE-IP object SERVER

nat (inside_SITEB,Outside_SITEB) source static SERVER SITEB-EXT destination static SITEB-SOURCEIP-INT SITEB-SOURCEIP

route inside_SITEB 10.3.1.8 255.255.255.0 10.2.6.5

they are only able to ping our firewall outside interface IP(172.1.1.2)  but unable to ping our server(10.3.1.8)

Many thanks for your support

Thanks,

Labels:
Preview file
16 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Chapman
Level 4
Level 4

‎04-10-2016 11:26 AM

Hi -

To make this work, it is better if we clarify our terminology.  For NAT we will use "REAL" and "MAPPED" to indicate the actual server IP and the NAT'ed IP respectively.  In ASA version 8.3 and later access-lists will refer to the real IP because ACLs are applied after NAT.

As you have stated the remote site does not have a firewall, so it is expected that the source IP on the packet will be the actual IP of the "Machine" (10.6.5.10).

Now that we know the parameters of the traffic we can build the NAT and rule.

object network 10.3.1.8_REAL
 host 10.3.1.8
object network 10.3.1.8_MAPPED
 host 172.1.1.8
object network REMOTE-HOST
 host 10.6.5.10
!
nat (inside,outside) source static 10.3.1.8_REAL 10.3.1.8_MAPPED destination static REMOTE-HOST REMOTE-HOST
!
access-list outside_in extended permit ip object REMOTE-HOST object 10.3.1.8_REAL
!
access-group outside_in in interface outside

In the NAT command, we can divide it into 2 sections: source and destination.  Each section tells the firewall what to do with those specific fields in the IP packet.  The source portion states how the internal server's IP will be translated.  The destination portion states how the external IP will be translated.

In this case, the destination IP does not actually need translation; it will be the same on both sides of the firewall. To do this we simply tell the firewall to translate the IP to itself.

NOTE: I changed the Mapped IP of the server because the configuration gets more complex if we are going to use the ASA interface IP.

In terms of testing from the remote site, it will only see the NAT IP of the server, it will never be able to access the internal IP directly.  Based on the sample configuration, pings to 172.1.1.8 should work.  If you run wireshark on both ends, you will see the results of the NAT translation.

PSC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Paul Chapman
Level 4
Level 4

‎04-10-2016 11:26 AM

Hi -

To make this work, it is better if we clarify our terminology.  For NAT we will use "REAL" and "MAPPED" to indicate the actual server IP and the NAT'ed IP respectively.  In ASA version 8.3 and later access-lists will refer to the real IP because ACLs are applied after NAT.

As you have stated the remote site does not have a firewall, so it is expected that the source IP on the packet will be the actual IP of the "Machine" (10.6.5.10).

Now that we know the parameters of the traffic we can build the NAT and rule.

object network 10.3.1.8_REAL
 host 10.3.1.8
object network 10.3.1.8_MAPPED
 host 172.1.1.8
object network REMOTE-HOST
 host 10.6.5.10
!
nat (inside,outside) source static 10.3.1.8_REAL 10.3.1.8_MAPPED destination static REMOTE-HOST REMOTE-HOST
!
access-list outside_in extended permit ip object REMOTE-HOST object 10.3.1.8_REAL
!
access-group outside_in in interface outside

In the NAT command, we can divide it into 2 sections: source and destination.  Each section tells the firewall what to do with those specific fields in the IP packet.  The source portion states how the internal server's IP will be translated.  The destination portion states how the external IP will be translated.

In this case, the destination IP does not actually need translation; it will be the same on both sides of the firewall. To do this we simply tell the firewall to translate the IP to itself.

NOTE: I changed the Mapped IP of the server because the configuration gets more complex if we are going to use the ASA interface IP.

In terms of testing from the remote site, it will only see the NAT IP of the server, it will never be able to access the internal IP directly.  Based on the sample configuration, pings to 172.1.1.8 should work.  If you run wireshark on both ends, you will see the results of the NAT translation.

PSC

0 Helpful

Go to solution
Mohammed Shoukat Ali
Level 1
Level 1
In response to Paul Chapman

‎04-10-2016 01:50 PM

Thanks Paul for your support. I will do the configuration and I'll give you the feedback.

Note

My ASA software version is 9.2

Appreciated

Thanks,

0 Helpful

Go to solution
Mohammed Shoukat Ali
Level 1
Level 1
In response to Mohammed Shoukat Ali

‎04-13-2016 09:23 AM

Hi Paul,

I applied the below configuration but cant see the traffic from other end.

172.1.1.3 I can able to ping and from their they can ping 172.1.1.1 but cant able to ping 10.3.1.8 server. one thing i want to clarify why 172.1.1.8 IP its like a source IP.

object network 10.3.1.8_REAL
 host 10.3.1.8
object network 10.3.1.8_MAPPED
 host 172.1.1.8 
object network REMOTE-HOST
 host 10.6.5.10
!
nat (inside,outside) source static 10.3.1.8_REAL 10.3.1.8_MAPPED destination static REMOTE-HOST REMOTE-HOST
!
access-list outside_in extended permit ip object REMOTE-HOST object 10.3.1.8_REAL
!
access-group outside_in in interface outside

Please advise.

Many thanks for your support.

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to Mohammed Shoukat Ali

‎04-13-2016 10:04 AM

Hi -

We have 2 scenarios to consider here:

  1. 10.3.1.8 going to 10.6.5.10
  2. 10.6.5.10 going to 10.3.1.8

In case 1 the host at 10.3.1.8 will perceive the destination as the actual IP of the destination.  So packet source is 10.3.1.8 and destination is 10.6.5.10 when it leaves the server's NIC.

In case 2 the host at 10.6.5.10 only has access to the NAT address.  So packet source is 10.6.5.10 and destination is 172.1.1.8 when it leaves the server interface.

Based on these 2 possible traffic flows you have to ping the appropriate address.  So your ping from 10.3.1.8 will be "ping 10.6.5.10".  Conversely, the ping from 10.6.5.10 should be "ping 172.1.1.8".

PSC

0 Helpful

Go to solution
Mohammed Shoukat Ali
Level 1
Level 1
In response to Paul Chapman

‎04-13-2016 01:05 PM

Hi Paul,

Thanks for your update.

I have to configure scenario 2

10.6.5.10 should access to 10.3.1.8 application server still they are not able to ping 10.3.1.8  i have to allow the traffic from 10.6.5.10 subnet only.

Many thanks for your support.

0 Helpful

Go to solution
Paul Chapman
Level 4
Level 4
In response to Mohammed Shoukat Ali

‎04-13-2016 01:58 PM

Hi -

10.6.5.10 will never be able to ping 10.3.1.8 due to the NAT configuration.  It can only ping 172.1.1.8.

If it cannot ping 172.1.1.8, then you need to look at your routing configuration.

PSC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card