(ASA 9.x) public subnet behind ASA, nat from this subnet to inside host

SebastianV · ‎07-08-2015

Greetings,

I am scratching my head over the following problem;

Client has an ASA5550 with 1 public ip address + gateway. Client also ordered a /28 public subnet from the provider. This /28 (let's say 6.6.6.64/28) is routed to the ASA.

Configuration:

ASA5550 with SSM, ASA 9.1(4), ASDM 7.4(2)

outside: g1/1.128 (provider uses vlans, don't ask me why), let's say 5.5.5.77/24 with 5.5.5.1 as the gateway.

inside: g1/1, 192.168.1.1/24

Only those interfaces are up since they are connected to other devices.

Challenge: I need to set up nat rules using ip's from the public /28 subnet to inside hosts, for example I need to nat 6.6.6.67 to 192.168.1.6 for RDP.

Actions so far:

I created:

- dmz interface on g1/1.99 (6.6.6.78/28), I used g1/1 since this interface is up. Security level 50.

- network object TESTSRV with static one-to-one nat for 192.168.1.6, translated address 6.6.6.67, source if=inside, dest if=dmz

- network object IP-6.6.6.67 with host 6.6.6.67

- access rule: dmz incoming, source: HOST_OUTSIDE, dest: TESTSRV

- access rule: outside incoming, source: HOST_OUTSIDE, dest: IP-6.6.6.67

Both access rules are triggered. Packet traces show that everything is fine and allowed. TCP connection from HOST_OUTSIDE to TESTSRV is build, but nothing happens after that.

I consider this to be hairpinning on the DMZ interface, but am confused as how to proceed.

Any thoughts greatly appreciated.

prateek.verma · ‎07-08-2015

Hi,

Try the following commands:

no nat (outside,dmz) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static IP-6.6.6.67 IP-6.6.6.67 no-proxy-arp route-lookup
object network IP-6.6.6.67-1
host 6.6.6.67
nat (dmz,outside) static DM_INLINE_NETWORK_5 tcp 3389 3389

Then try to run packet tracer:

packet-tracer input outside tcp 4.2.2.2 1024 192.168.1.6 3389 de

Please paste the output if it doesn't work

Regards,

Prateek Verma