ASA 842 and NAT

danilo-dicesare · ‎06-25-2011

Hi all,

i'd like to ask you question about NAT.

i've got a asa with inside and outside interface and some dmz and i want to nat ip dst 9.9.9.1 to 15.0.0.1 but i wanna also to reach real ip 9.9.9.1.

with this rule it works, do you think is right?

object network obj9.9.9.1

host 9.9.9.1

object network obj9.9.9.1bis

host 9.9.9.1

object network obj9.9.9.1

nat (dmz,inside) static 15.0.0.1

object network obj9.9.9.1bis

nat (dmz,inside) static 9.9.9.1

TEST# show nameif

Interface Name Security

Ethernet0/0 outside 0

Ethernet0/1 inside 100

Ethernet0/2 dmz 80

Port-channel10 dmz-2 85

TEST# show route

Gateway of last resort is XXXX.XXXX.XXX.XXX to network 0.0.0.0

C XXXX.XXXX.XXX.XXX 255.255.255.240 is directly connected, outside

C 7.7.7.0 255.255.255.0 is directly connected, inside

C 9.9.9.0 255.255.255.0 is directly connected, dmz

C 10.10.10.0 255.255.255.0 is directly connected, dmz-2

S 15.0.0.0 255.255.255.0 [1/0] via 9.9.9.1, dmz

S* 0.0.0.0 0.0.0.0 [1/0] via XXXX.XXXX.XXX.XXX, outside

only strange thing is icmp, echo reply come with src ip 15.0.0.1. if i telnet 9.9.9.1 ack and sequent ip are right (9.9.9.1)

tnx

dan

Jennifer Halim · ‎06-25-2011

No, doesn't look right.

You can't NAT the ip address, and access the real ip address at the same time. It is one or the other, not both.

If you would like to access the NATed ip address from a specific source, and access the real ip address from a different source, then it could be configured. However, if you are trying to access both the NATed and the real ip from the same source, then this is not supported.

danilo-dicesare · ‎06-26-2011

Ok Jennifer right tnx

it works (maybe sometimes yes like this time have look belove e maybe sometimes not) but it is not supported.

TEST# show conn

3 in use, 20 most used

TCP dmz 15.0.0.1(9.9.9.1):23 inside 7.7.7.8:43544, idle 0:00:02, bytes 463, flags UIO

TCP dmz 9.9.9.1:23 inside 7.7.7.8:43392, idle 0:00:08, bytes 463, flags UIO

TEST# show nat

Auto NAT Policies (Section 2)

1 (dmz) to (inside) source static obj9.9.9.1 15.0.0.1

translate_hits = 7, untranslate_hits = 5

2 (dmz) to (inside) source static obj9.9.9.1bis 9.9.9.1

translate_hits = 0, untranslate_hits = 8

[root@test]# tcpdump -i eth0 port 23

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:30:13.914584 IP 7.7.7.8.43389 > 9.9.9.1.telnet: S 3273190795:3273190795(0) win 5840

21:30:13.915799 IP 9.9.9.1.telnet > 7.7.7.8.43389: S 408102613:408102613(0) ack 3273190796 win 4128

21:30:13.915836 IP 7.7.7.8.43389 > 9.9.9.1.telnet: . ack 1 win 5840

21:30:13.917044 IP 9.9.9.1.telnet > 7.7.7.8.43389: P 1:13(12) ack 1 win 4128

21:30:13.917074 IP 7.7.7.8.43389 > 9.9.9.1.telnet: . ack 13 win 5840

21:30:13.917376 IP 7.7.7.8.43389 > 9.9.9.1.telnet: P 1:31(30) ack 13 win 5840

21:30:34.117347 IP 7.7.7.8.43541 > 15.0.0.1.telnet: S 3295238421:3295238421(0) win 5840

21:30:34.118523 IP 15.0.0.1.telnet > 7.7.7.8.43541: S 1183040330:1183040330(0) ack 3295238422 win 4128

21:30:34.118569 IP 7.7.7.8.43541 > 15.0.0.1.telnet: . ack 1 win 5840

21:30:34.119750 IP 15.0.0.1.telnet > 7.7.7.8.43541: P 1:13(12) ack 1 win 4128

dan