Solved: ASA 8.4 NAT subnets to 1 IP Address

JDMJeffy84 · ‎01-10-2013

Hello guys,
I'm wondering if this is possible on an ASA.
I know it is possible on a router (i think)

Currently have a Outside interface with public address:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.192 standby 10.1.1.2

I already have one to one NATing going on from inside to outside

e.g:
object network test
nat (inside,outside) static 10.1.1.3 dns

Proposal.

new interface:

int g1/1

nameif inside2

ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

object network test2_range

range 172.16.1.3 172.16.1.254

object network test2_range

nat (inside2,outside) static 10.1.1.4 dns

will this work? i.e IP Address range from 172.16.1.3 - 254 will NAT to 10.1.1.4?
I want the subnet to share 1 IP Address. is this possible?
Thanks

Jouni Forss · ‎01-11-2013

Hi,

I would suggest the following configuration format for Default PAT configurations

This will make them NAT rules that are matched for traffic as the very last ones which they usually should be.

The names and IPs/networks used below are just examples. Object/Object-group names are best configured with more descriptive names.

Using the "outside" interface for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Using a separate public IP address for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

object network PUBLIC

host x.x.x.x

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC

- Jouni

View solution in original post

varrao · ‎01-10-2013

Hi,

The nat that you are trying to do is only one to one nat, and it cannot be one to many. You cannot use static command for it. If it is to be one to many then you would have to use dynamic keyword for it, which would be your port address translation.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

JDMJeffy84 · ‎01-11-2013

Hi Varun,

So in this example I would use:

object network test2_range

subnet 172.16.1.0 255.255.255.0

nat (inside2,outside) dynamic 10.1.1.4 dns

Thanks

Jouni Forss · ‎01-11-2013

Hi,

I would suggest the following configuration format for Default PAT configurations

This will make them NAT rules that are matched for traffic as the very last ones which they usually should be.

The names and IPs/networks used below are just examples. Object/Object-group names are best configured with more descriptive names.

Using the "outside" interface for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Using a separate public IP address for PAT

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

object network PUBLIC

host x.x.x.x

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC

- Jouni

JDMJeffy84 · ‎01-13-2013

Hi Jouni,
Thank you for your reply.

If I use your example no2 - Using seperate public IP address for PAT

the outcome would be any address in the /24 range will be PATted to the configured PUBLIC IP Address host?

object-group network DEFAULT-PAT-SOURCE

description Source Networks for PAT

network-object 10.10.10.0 255.255.255.0

object network PUBLIC

host 1.2.3.4

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PUBLIC

e.g Outcome:
10.10.10.55 -> 1.2.3.4:525252
10.10.10.213-> 1.2.3.4:35865

Is this correct in understanding this?

Thanks

Jouni Forss · ‎01-13-2013

Hi,

Yes, that is correct. All users in network 10.10.10.0/24 would be sharing the IP address configured under object PUBLIC as their PAT address towards Internet.

- Jouni

JDMJeffy84 · ‎01-13-2013

Hi Jouni,

Awesome Thanks for your reply, I will let you know how the change goes later on!

Many Thanks!

Kureli Sankar · ‎01-13-2013

JDMJeffy84,

I believe you would greatly benefit from my upcoming webcast. Details below. I will be disucssing the old and new NAT syntax.

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013

Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

-Kureli

JDMJeffy84 · ‎01-14-2013

Worked all fine Jouni! But I have an issue and I have tried ways fixing this.

I have two inside LANs

192.168.50.x (VLAN 50) & 192.168.100.x (VLAN 100)

VLAN 50 has PAT 192.168.50.0/24 to 1.2.3.4

VLAN 100 has 1 to 1 NATS

They hit ASA and NAT on outside interface
int g0/0
nameif outside
security-level 0

ip add 1.2.3.0 255.255.255.0

My issue is I have a webserver sitting in VLAN 100 in DMZ (192.168.100.5 -> NAT 1.2.3.50)
Traffic from VLAN 50 will traverse internal to ASA and out the Internet and into OUTSIDE interface of the ASA.

At this bit the ASA sends travel back to VLAN 50 (used packet tracer and looked at syslog)

So if I understand how ASA process packets:
Client on VLAN 50 - 192.168.50.200 - http://1.2.3.50

This will go to ASA and PAT to Outside Interface - 192.168.50.200 -> 1.2.3.4:50501

Go internet and loop back to Outside interface

NAT back to 192.168.50.200

But I cannot access the webserver - Page timeout on web browser

I have tried putting rules on Outside interface but no luck

I know it's a wierd setup

Thanks

Jouni Forss · ‎01-14-2013

Hi,

So if I understood you correctly

You now have a PAT for your other Vlan towards "outside"
You now have 1:1 Static NATs for servers from other Vlan towards "outside"
You want to access the Web server(s) from the other Vlan but arent succeeding in it

This is a pretty common problem people run into

Since your host attempting the Web server connection using the public/NAT IP address is behind the ASA, it CANT use the public IP address. You should use the local address of the Web server rather than the Public NAT IP address.

If this is not possible I guess you could try to do the 1:1 Static NAT also from the Web Server Vlan to the other Vlan and this way the Web server would also be visible to the other Vlan with the public IP address.

I can't guarantee this will work but can't think of anything else at the moment.

- Jouni

JDMJeffy84 · ‎01-14-2013

Yes that's correct Jouni. 1 Vlan is PAT and other VLAN is 1:1 static NAT.

And PAT vlan is required to access webserver in Static NAT vlan

I thought of doing that but they require using DNS name.

So are you saying NAT inside to inside? I've enabled access to same security levels but no luck

tricky one

Jouni Forss · ‎01-14-2013

Hi,

I mean you could try doing the 1:1 Static NAT of the Web server also between the 2 Vlans

Then you would have the Static NAT configured twice

Between server Vlan and outside
Between server Vlan and user Vlan (for lack of a better term)

This could possibly be done with a single Static NAT command by changing the destination interface of the NAT with "any"

For example

object network STATIC

host 10.10.10.10

nat (inside,any) static 1.2.3.4

The above should do a 1:1 Static NAT for the LAN host towards any other ASA interface. So in your towards "outside" and also the other Vlan.

But as I said I'm not sure if it will work. I haven't had to do similiar NATs that often.

- Jouni

JDMJeffy84 · ‎01-14-2013

Hi,

I will give that a try.
Do you know what is the order of traffic flow?

is it Routing/ NAT/ ACL?

Thanks