Solved: ASA NAT; Internet to Multiple RFC 1918 addressed Internal Web servers

fsebera · ‎05-15-2015

Hi

IOS CLI:

object network SERVER-PUBLIC

host 3.0.0.2 (just an example IP address)

object network SERVER-LOCAL

host 172.16.5.45 (just an example IP address)

nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL

Based on debugs, this setup translates any source address to the ASA's "inside" IP address (3.0.0.2) and at the same time changes the destination of the packet(s) to my internal web server at 172.16.5.45. This works wonderfully!!!

My Question:

If we have multiple internal RFC 1918 addressed web servers, do I just create multiple network object groups and add additional nat (outside,inside) etc. statements or is there a better way.

My ASA inside interface can have a /20 IP address assigned if needed.

Thanks again

Frank

Karsten Iwen · ‎05-15-2015

For multiple inside servers you can configure multiple NAT-entries. But if there are many servers, you can also do a network-nat:

object network TEST1
 subnet 192.0.2.0 255.255.255.0
object network TEST2
 subnet 192.168.24.0 255.255.255.0
!
nat (outside,inside) source dynamic any interface destination static TEST1 TEST2

In this example, a request to 192.0.2.99 is translated to 192.168.24.99, a request to 192.0.2.100 is translated to 192.168.24.100 and so on.

But why do you want to translate the source-address of the client to one of your IPs? You won't see the real clients IP any more which could be quite usefull for your access-logs.

View solution in original post

Karsten Iwen · ‎05-15-2015

For multiple inside servers you can configure multiple NAT-entries. But if there are many servers, you can also do a network-nat:

object network TEST1
 subnet 192.0.2.0 255.255.255.0
object network TEST2
 subnet 192.168.24.0 255.255.255.0
!
nat (outside,inside) source dynamic any interface destination static TEST1 TEST2

In this example, a request to 192.0.2.99 is translated to 192.168.24.99, a request to 192.0.2.100 is translated to 192.168.24.100 and so on.

But why do you want to translate the source-address of the client to one of your IPs? You won't see the real clients IP any more which could be quite usefull for your access-logs.

fsebera · ‎05-15-2015

Hi Karsten,

Thanks for the assistance as it is greatly appreciated.

The topology:

Intranet----------ASA----|

| |

| VPN_R---R---ASA----BR---Internet---Remote_site_VPN_termination_point_R

| |

| VPN_R---R---ASA----BR---Internet---Remote_site_VPN_termination_point_R

| |

Intranet----------ASA----|

Each VPN_R has an IPSec tunnel to both Remote_Site_VPN_Termination_point_R’s to support Internet/Intranet initiated communications to remote site web servers. If the remote sites try to utilize the 0/0 network for return traffic, this will obviously fail. By natting the original packets SOURCE address to the ASA’s “inside” interface and natting the DESTINATION to the private address of the web server(s) and announcing the ASA’s “inside” IP address to the remote site routers will ensure traffic always flows back through the same stateful devices and onto the original host. Additionally, the Intranet addresses are not summarizable. On the positive side, we take the full IRT on each BR.

Each VPN_R also has an IPSec tunnel to 1 of the Remote_Site_VPN_Termination_point_R for remote site initiated communications to the Internet. Since Internet addresses are unknown to the VPN routers, we must use the Gateway of Last Resort (0/0) but only through this 3^rd IPSec tunnel from the Remote_Site_VPN_Termination_point_R’s. BGP announces the default (0/0) from each VPN_R to 1 of the Remote_Site_VPN_Termination_point_R’s. And since the remote site infrastructure devices are configured with RFC 1918 addresses, the ASA will nat the source address of outbound packets using it’s “outside” interface addresses and thus ensures return traffic also returns through the same stateful deices.

The real problem with this setup is due to none of the ASA firewalls share state and the Intranet IP space is not summarizable in any form or fashion. Both VPN_R’s are configured as Zone Based Policy Firewalls (ZbPF) due to security requirement of no cross tunnel communications and ingress/egress application limits.

Is this the best way to setup this environment, NO but it is what it is. I’m just trying to make it work and greatly appreciate your assistance. And obviously, I'm open to your suggestions and comments!!!

:)

Thanks and Happy day

Frank