Solved: ASA 8.3, Nating in both directions.

Chris McCann · ‎01-22-2014

Hi All,

I am trying to configure an ASA ver 8.3 so that I have incoming traffic to one of our public addresses nat'd to an internal webserver and then the webserver nat back out, so a nice easy two way conversation using static NAT.

However its not working. I have put wireshark on the internal webserver to check that traffic is coming in from the internal address of the ASA and that was fine, however the output of wireshark indicates that the traffic is coming from the external source website rather than the internal LAN address of the ASA so I am assuming that our webserver when trying to access the external address is failing on the routing. We do not have a default route on our core switches pointing everything to the outside world and previous we have NAT'd using a Linux box which didnt have a problem.

What am I doing wrong to prevent the internal address of our ASA being propergated through to the webserver. Unfortunately I cannt paste any of the running config as this is a live system and when I do the changes and they fail someone else has the turn the old Linux box back on.

Any help apreciated.

C.

lcambron · ‎01-23-2014

Hello,

It is kind of hard without the configuration but the NAT should look like:

nat (outside,inisde) source dynamic any interface destination static external_IP internal_IP

Not sure if you use the ports as well.

You can run a packet tracer to confirm it is using the correct NAT rule:

packet in outside tcp 8.8.8.8 1025 external_IP 80

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

Jouni Forss · ‎01-24-2014

Hi,

So you are trying to do Dynamic PAT for all incoming traffic towards one of your Servers which has a Static NAT to a public IP address?

Basically the format of the configuration would be

object network PUBLIC

host

object network LOCAL

host

nat (outside,inside) source dynamic any interface destination static PUBLIC LOCAL

With this configuration the traffic destined to "PUBLIC" should match this NAT rule and untranslate the destination to "LOCAL" while at the same time translating the source to "interface" (inside).

Naturally where ever the server is located in the LAN Network it must have route for the connected network on the ASAs "inside" interface which usually already exists without any additions

You should be able to simulate a packet coming for a connection that is supposed to match this NAT rule by using the "packet-tracer" command

For example

packet-tracer input outside tcp 1.1.1.1 12345

- Jouni

View solution in original post

lcambron · ‎01-23-2014

Hello,

It is kind of hard without the configuration but the NAT should look like:

nat (outside,inisde) source dynamic any interface destination static external_IP internal_IP

Not sure if you use the ports as well.

You can run a packet tracer to confirm it is using the correct NAT rule:

packet in outside tcp 8.8.8.8 1025 external_IP 80

Regards,

Felipe.

Remember to rate useful posts.

Chris McCann · ‎01-24-2014

Hi Felipe,

ok lets say my internal webserver is x.x.x.x and I want the external address of y.y.y.y

So config would be something like

object network MyWebServer

host x.x.x.x

nat (outside,inside) source dynamic any interface destination static y.y.y.y x.x.x.x (or event he host name instead of x.x.x.x)

Jouni Forss · ‎01-24-2014

Hi,

So you are trying to do Dynamic PAT for all incoming traffic towards one of your Servers which has a Static NAT to a public IP address?

Basically the format of the configuration would be

object network PUBLIC

host

object network LOCAL

host

nat (outside,inside) source dynamic any interface destination static PUBLIC LOCAL

With this configuration the traffic destined to "PUBLIC" should match this NAT rule and untranslate the destination to "LOCAL" while at the same time translating the source to "interface" (inside).

Naturally where ever the server is located in the LAN Network it must have route for the connected network on the ASAs "inside" interface which usually already exists without any additions

You should be able to simulate a packet coming for a connection that is supposed to match this NAT rule by using the "packet-tracer" command

For example

packet-tracer input outside tcp 1.1.1.1 12345

- Jouni

Chris McCann · ‎01-30-2014

Thank you very much, that is working good, I added the service too.