01-10-2013 03:28 PM - edited 03-11-2019 05:45 PM
Hello guys,
I'm wondering if this is possible on an ASA.
I know it is possible on a router (i think)
Currently have a Outside interface with public address:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.192 standby 10.1.1.2
I already have one to one NATing going on from inside to outside
e.g:
object network test
nat (inside,outside) static 10.1.1.3 dns
Proposal.
new interface:
int g1/1
nameif inside2
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
object network test2_range
range 172.16.1.3 172.16.1.254
object network test2_range
nat (inside2,outside) static 10.1.1.4 dns
will this work? i.e IP Address range from 172.16.1.3 - 254 will NAT to 10.1.1.4?
I want the subnet to share 1 IP Address. is this possible?
Thanks
Solved! Go to Solution.
01-11-2013 05:25 AM
Hi,
I would suggest the following configuration format for Default PAT configurations
This will make them NAT rules that are matched for traffic as the very last ones which they usually should be.
The names and IPs/networks used below are just examples. Object/Object-group names are best configured with more descriptive names.
Using the "outside" interface for PAT
object-group network DEFAULT-PAT-SOURCE
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
Using a separate public IP address for PAT
object-group network DEFAULT-PAT-SOURCE
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
object network PUBLIC
host x.x.x.x
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC
- Jouni
01-10-2013 05:34 PM
Hi,
The nat that you are trying to do is only one to one nat, and it cannot be one to many. You cannot use static command for it. If it is to be one to many then you would have to use dynamic keyword for it, which would be your port address translation.
Thanks,
Varun Rao
Security Team,
Cisco TAC
01-11-2013 05:19 AM
Hi Varun,
So in this example I would use:
object network test2_range
subnet 172.16.1.0 255.255.255.0
nat (inside2,outside) dynamic 10.1.1.4 dns
Thanks
01-11-2013 05:25 AM
Hi,
I would suggest the following configuration format for Default PAT configurations
This will make them NAT rules that are matched for traffic as the very last ones which they usually should be.
The names and IPs/networks used below are just examples. Object/Object-group names are best configured with more descriptive names.
Using the "outside" interface for PAT
object-group network DEFAULT-PAT-SOURCE
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
Using a separate public IP address for PAT
object-group network DEFAULT-PAT-SOURCE
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
object network PUBLIC
host x.x.x.x
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC
- Jouni
01-13-2013 04:34 AM
Hi Jouni,
Thank you for your reply.
If I use your example no2 - Using seperate public IP address for PAT
the outcome would be any address in the /24 range will be PATted to the configured PUBLIC IP Address host?
object-group network DEFAULT-PAT-SOURCE
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
object network PUBLIC
host 1.2.3.4
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC
e.g Outcome:
10.10.10.55 -> 1.2.3.4:525252
10.10.10.213-> 1.2.3.4:35865
Is this correct in understanding this?
Thanks
01-13-2013 04:41 AM
Hi,
Yes, that is correct. All users in network 10.10.10.0/24 would be sharing the IP address configured under object PUBLIC as their PAT address towards Internet.
- Jouni
01-13-2013 04:44 AM
Hi Jouni,
Awesome Thanks for your reply, I will let you know how the change goes later on!
Many Thanks!
01-13-2013 07:20 AM
I believe you would greatly benefit from my upcoming webcast. Details below. I will be disucssing the old and new NAT syntax.
https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules
Register today for this Cisco Support Community live webcast.
-Kureli
01-14-2013 01:13 PM
Worked all fine Jouni! But I have an issue and I have tried ways fixing this.
I have two inside LANs
192.168.50.x (VLAN 50) & 192.168.100.x (VLAN 100)
VLAN 50 has PAT 192.168.50.0/24 to 1.2.3.4
VLAN 100 has 1 to 1 NATS
They hit ASA and NAT on outside interface
int g0/0
nameif outside
security-level 0
ip add 1.2.3.0 255.255.255.0
My issue is I have a webserver sitting in VLAN 100 in DMZ (192.168.100.5 -> NAT 1.2.3.50)
Traffic from VLAN 50 will traverse internal to ASA and out the Internet and into OUTSIDE interface of the ASA.
At this bit the ASA sends travel back to VLAN 50 (used packet tracer and looked at syslog)
So if I understand how ASA process packets:
Client on VLAN 50 - 192.168.50.200 - http://1.2.3.50
This will go to ASA and PAT to Outside Interface - 192.168.50.200 -> 1.2.3.4:50501
Go internet and loop back to Outside interface
NAT back to 192.168.50.200
But I cannot access the webserver - Page timeout on web browser
I have tried putting rules on Outside interface but no luck
I know it's a wierd setup
Thanks
01-14-2013 01:27 PM
Hi,
So if I understood you correctly
This is a pretty common problem people run into
Since your host attempting the Web server connection using the public/NAT IP address is behind the ASA, it CANT use the public IP address. You should use the local address of the Web server rather than the Public NAT IP address.
If this is not possible I guess you could try to do the 1:1 Static NAT also from the Web Server Vlan to the other Vlan and this way the Web server would also be visible to the other Vlan with the public IP address.
I can't guarantee this will work but can't think of anything else at the moment.
- Jouni
01-14-2013 02:02 PM
Yes that's correct Jouni. 1 Vlan is PAT and other VLAN is 1:1 static NAT.
And PAT vlan is required to access webserver in Static NAT vlan
I thought of doing that but they require using DNS name.
So are you saying NAT inside to inside? I've enabled access to same security levels but no luck
tricky one
01-14-2013 02:16 PM
Hi,
I mean you could try doing the 1:1 Static NAT of the Web server also between the 2 Vlans
Then you would have the Static NAT configured twice
This could possibly be done with a single Static NAT command by changing the destination interface of the NAT with "any"
For example
object network STATIC
host 10.10.10.10
nat (inside,any) static 1.2.3.4
The above should do a 1:1 Static NAT for the LAN host towards any other ASA interface. So in your towards "outside" and also the other Vlan.
But as I said I'm not sure if it will work. I haven't had to do similiar NATs that often.
- Jouni
01-14-2013 03:29 PM
Hi,
I will give that a try.
Do you know what is the order of traffic flow?
is it Routing/ NAT/ ACL?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: