Re: ASA Auto NAT applying two rules

mohamed shazly · ‎02-14-2023

Dears ;

I have a basic question regarding auto nat .
I have below scenario :
I have asa with two interfaces (inside and outside) (192.168.35.200/24 & 192.168.25.200/24)
i have two Linux machines (192.168.35.68 & 192.168.25.30) and have ASA as GW .
two Linux machines have auto nat configuration.

When I initiate ssh from 192.168.35.68 to 192.168.200.30 ,Does the two auto nat rules will be applied?

object network 192.168.35.68
host 192.168.35.68
object network obj-192.168.25.30
host 192.168.25.30
object network 192.168.35.68
nat (inside,outside) static obj-192.168.200.68
object network obj-192.168.25.30
nat (outside,inside) static obj-192.168.200.30

mohamed shazly · ‎02-14-2023

SRC 192.168.35.68 will be source-Natted to 192.168.200.68 And DST 192.168.200.30 will be D-Natted to 192.168.25.30 at a time ??

MHM Cisco World · ‎02-14-2023

this need to test I will try run lab and check

Karsten Iwen · ‎02-14-2023

Your config doesn't make any sense to me. What exactly do you want to achieve? With RFC1918 on both sides you likely don't need any NAT and can do pure routing and access-control. But if you really want to NAT source and destination at the same time, you should do it with a manual- or twice-NAT config.

mohamed shazly · ‎02-14-2023

I have tested it , just need to be sure about it from more experienced engineer .
Below is test :

Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68)
Try ping from from linux machine (192.168.35.68) to Pre-NAT IP (192.168.200.30)
All tests works fine

Fourth :
Show commands==>when Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68) :

ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 8
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 8
ciscoasa#

Cleared Nat counters==>When Try ping from from linux machine (192.168.35.68) to Pre-NAT IP (192.168.200.30)
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 6
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 6
ciscoasa#

Cleared Nat counters===>when Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 0
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 0, untranslate_hits = 1
ciscoasa#

Attached Packet tracer file for ssh connection (not detailed and detailed)

MHM Cisco World · ‎02-14-2023

I know what you try to do,
if the client in IN and want to access Server in IN then client must use public IP of Server (instead of private IP) so you need one NAT not two as show below

mohamed shazly · ‎02-14-2023

@Karsten Iwen
i understand you .
Just need to confirm if two auto nat rules can be applied at time if there is matching traffic