02-03-2022 08:51 AM - edited 02-03-2022 10:02 AM
I have what I think is a fairly straightforward configuration, though I cannot quite seem to get it working. I need to have a few different DMZ hosts with PAT on a specific IP (that's not the ASA interface IP), where also if one of these hosts initiates an outbound connection it uses that specific IP, not the default one. All other hosts should just use the default translation.
It seems like if I use Static NAT with PAT, it translates traffic for just those matching ports (8001-8003) but any other traffic falls back to the default translation.
Example of what I'm trying to achieve:
Inbound:
Server1: 100.1.1.2:8001 -> 192.168.1.1:8001
Server2: 100.1.1.2:8002 -> 192.168.1.2:8002
Server3: 100.1.1.2:8003 -> 192.168.1.3:8003
Outbound:
Server1 initiates any outbound connection, it should come from (translate to) 100.1.1.2 not 100.1.1.1.
What's actually happening:
An outbound connection not matching those ports XLATs to 10.1.1.1 instead of 10.1.1.2:
UDP PAT from dmz:192.168.1.1/123 to outside:100.1.1.1/123 flags ri idle 0:01:00 timeout 0:00:30
If I add the follow (see below for detail):
nat (dmz,outside) source dynamic SERVER_GROUP SERVER_IP_OUTSIDE
It does correctly translate to the correct external IP address, however the inbound PAT rules no longer work, like it's simply overriding/disabling the static PAT rules.
UDP PAT from dmz:192.168.1.1/123 to outside:100.1.1.2/123 flags ri idle 0:01:00 timeout 0:00:30
I've read through this reference document but it doesn't look like one of these examples is exactly my situation.
Relevant config:
ASA Version 9.9(2)36
interface GigabitEthernet1/1
nameif outside
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet1/2
nameif dmz
ip address 192.168.1.254 255.255.255.0
object network SERVER_IP_OUTSIDE
host 100.1.1.2
object network SERVER1_INSIDE
host 192.168.1.1
nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8001 8001
object network SERVER2_INSIDE
host 192.168.1.2
nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8002 8002
object network SERVER3_INSIDE
host 192.168.1.3
nat (dmz,outside) static SERVER_IP_OUTSIDE service tcp 8003 8003
object-group service SERVER_SERVICE
service-object tcp destination range 8001 8003
access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.1
access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.2
access-list acl_outside extended permit object-group SERVER_SERVICE any host 192.168.1.3
object network NETWORK_OUTSIDE
subnet 0.0.0.0 0.0.0.0
nat (dmz,outside) dynamic interface
! Tried adding this:
object-group network SERVER_GROUP
network-object object SERVER1_INSIDE
network-object object SERVER2_INSIDE
network-object object SERVER3_INSIDE
nat (dmz,outside) source dynamic SERVER_GROUP SERVER_IP_OUTSIDE
This feels pretty rudimentary, but for some reason I'm just not able to make it work. Thanks!
02-04-2022 02:01 AM
This has to do with ordering of your NAT statements. Your PAT statements are placed into the "auto-NAT" section while the dynamic NAT for 100.1.1.2 is in "manual NAT".
I would suggest placing both dynamic NAT statements into after-auto with the NAT statement for 100.1.1.2 being above the statement for 100.1.1.1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide