cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
635
Views
0
Helpful
6
Replies

ASA Auto NAT applying two rules

mohamed shazly
Level 1
Level 1

Dears ;

I have a basic question regarding auto nat .
I have below scenario :
I have asa with two interfaces (inside and outside) (192.168.35.200/24 & 192.168.25.200/24)
i have two Linux machines (192.168.35.68 & 192.168.25.30) and have ASA as GW .
two Linux machines have auto nat configuration.

When I initiate ssh from 192.168.35.68 to 192.168.200.30 ,Does the two auto nat rules will be applied?

object network 192.168.35.68
 host 192.168.35.68
object network obj-192.168.25.30
 host 192.168.25.30
object network 192.168.35.68
 nat (inside,outside) static obj-192.168.200.68
object network obj-192.168.25.30
 nat (outside,inside) static obj-192.168.200.30

6 Replies 6

mohamed shazly
Level 1
Level 1

SRC 192.168.35.68 will be source-Natted to 192.168.200.68 And DST 192.168.200.30 will be D-Natted to 192.168.25.30 at a time ??

 

this need to test I will try run lab and check

Your config doesn't make any sense to me. What exactly do you want to achieve? With RFC1918 on both sides you likely don't need any NAT and can do pure routing and access-control. But if you really want to NAT source and destination at the same time, you should do it with a manual- or twice-NAT config.

mohamed shazly
Level 1
Level 1

I have tested it , just need to be sure about it from more experienced engineer .
Below is test :

Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68)
Try ping from from linux machine (192.168.35.68) to  Pre-NAT IP (192.168.200.30)
All tests works fine

Fourth : 
Show commands
==>when Try ping from from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68) :

ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 8
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 8
ciscoasa#

Cleared Nat counters==>When Try ping from from linux machine (192.168.35.68) to  Pre-NAT IP (192.168.200.30)
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 6
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 1, untranslate_hits = 6
ciscoasa#

Cleared Nat counters===>when Try ssh from linux machine (192.168.25.30) to Pre-NAT IP (192.168.200.68).
ciscoasa# show natAuto NAT Policies (Section 2)
1 (outside) to (inside) source static obj-192.168.25.30 obj-192.168.200.30
    translate_hits = 1, untranslate_hits = 0
2 (inside) to (outside) source static 192.168.35.68 obj-192.168.200.68
    translate_hits = 0, untranslate_hits = 1
ciscoasa#

Attached Packet tracer file for ssh connection (not detailed and detailed)

I know what you try to do, 
if the client in IN and want to access Server in IN then client must use public IP of Server (instead of private IP) so you need one NAT not two as show below 
Screenshot (285).png


mohamed shazly
Level 1
Level 1

@Karsten Iwen 
i understand you .
Just need to confirm if two auto nat rules can be applied at time if there is matching traffic

Review Cisco Networking for a $25 gift card