11-24-2010 01:24 AM - edited 03-11-2019 12:13 PM
I am have a problem with policy nat on an ASA 5510. The customer has supplied me with the following conditions but so far I have been unable to get it to work.
pleas see the attached pdf document. for diagram
All of the 10.1.1.0/24 network hides behind the outside address of 192.168.1.254 on FW1.
when connecting to the server at 172.16.1.1, the source address of 192.168.1.254 must target 192.168.1.11 on the same network. 192.168.1.11 must then be NATted to 10.50.1.11 on the inside interface of FW2. This is the only source address that is allowed to connect to 172.16.1.1
I have tried different variations of policy NAT but nothing seems to work. I believe this to be my configuration error rather than the possibility that the ASA can't do this
Any assistance is most appreciated.
regards
Keith
Solved! Go to Solution.
11-24-2010 02:16 PM
OK, if you say destination is 192.168.1.11 that means they are actually NATing the server to that ip address, not NATing the client (source) to that IP.
Before I go any further, this server will only be accessible for this customer? Not for anybody else, right?
If this is the case, then you would need the following on your FW2:
static (inside,outside) 192.168.1.11 172.16.1.1 netmask 255.255.255.255
Then the following to NAT 192.168.1.254 to 10.50.1.11:
static (outside,inside) 10.50.1.11 192.168.1.254 netmask 255.255.255.255
11-24-2010 01:57 AM
Sorry, can you please confirm that this is what you are trying to achieve:
-- All traffic from 10.1.1.0/24 destined for server with ip address of 172.16.1.1 needs to be NATed to 10.50.1.11, ie:
basically PAT 10.1.1.0/24 to 10.50.1.11 ?
I am not quite sure what you mean by "target 192.168.1.11 on the same network". Do you mean that 172.16.1.1 needs to be seen as 192.168.1.11 by the 10.1.1.0/24 network?
11-24-2010 02:25 AM
the customer is trying to avoid all routing on his own network, therefore he hides all outgoing traffic behind 192.168.1.254, which is drectly connected to
his own firewall. If he has a source address of 192.168.1.254 and a destination address of 192.168.1.11, then he has no need to apply any routing because it is all directly connected.
This means that FW2 has all the work to do. He has to take the address of 192.168.1.11 on the outside and NAT it to 10.50.1.11 on the inside.
The server they are trying to connect to on the other side of the MPLS cloud is 172.16.1.1 is only allowed to accept a source address of 10.50.1.11
Basically the customer wants to connect to 172.16.1.1, source address 10.50.1.11 (NAT from 192.168.1.11)
Hope that helps
Many thanks for taking the time to look at this problem
Keith
11-24-2010 02:32 AM
Sorry, but isn't it easier to PAT all traffic from source 10.1.1.0/24 destined for 172.16.1.1 directly to 10.50.1.11?
I don't quite understand why you have to triple NAT the traffic from 10.1.1.0/24?
At the moment, if I understand you, you are trying to:
PAT from 10.1.1.0/24 to 192.168.1.254 then somehow NAT again to 192.168.1.11 and again to 10.50.1.11
Why not PAT directly from 10.1.1.0/24 to 10.50.1.11?
11-24-2010 02:46 AM
Yes, you are right of course, unfortunately, both customers have the same network ranges, so therefore we have to NAT to an address that is acceptable to both. The customer uses the transition network of 192.168.1.0/24 for all external connections.
11-24-2010 02:53 AM
You definitely can't NAT to FW1 outside interface (192.168.1.254) then NAT it again within the same network to 192.168.1.11.
You can NAT it directly to 192.168.1.11 on FW1 and then NAT it to 10.50.1.11 on FW2.
FW1:
access-list nat-to-server permit ip 10.1.1.0 255.255.255.0 host 172.16.1.1
nat (inside) 1 access-list nat-to-server
global (outside) 1 192.168.1.11
FW2:
static (outside,inside) 10.50.1.11 192.168.1.11 netmask 255.255.255.255
You would need to configure the ACL accordingly, and also "clear xlate" on both FW aftre the above. I believe it should work.
11-24-2010 03:32 AM
unfortunately, I have no control over the configuration on FW1, this device belongs to the customer. I only have control over FW2. When I observe traffic on FW 2, I can see a source address of 192.168.1 254 and a destination of 192.168.1.11 but no translation to 10.50.1.11 at all.
I tried policy NAT with the following statement
access-list outside_nat_outbound line 1 extended permit ip 192.168.1.11 host 172.16.1.1
!
nat (outside) 1 access-list outside_nat_outbound
!
global (Inside) 1 10.50.1.11 netmask 255.255.255.255
but this didn't appear to work either.
many thanks for you assistance with this issue.
11-24-2010 02:16 PM
OK, if you say destination is 192.168.1.11 that means they are actually NATing the server to that ip address, not NATing the client (source) to that IP.
Before I go any further, this server will only be accessible for this customer? Not for anybody else, right?
If this is the case, then you would need the following on your FW2:
static (inside,outside) 192.168.1.11 172.16.1.1 netmask 255.255.255.255
Then the following to NAT 192.168.1.254 to 10.50.1.11:
static (outside,inside) 10.50.1.11 192.168.1.254 netmask 255.255.255.255
11-25-2010 12:18 AM
many thanks for the information, I have now solved the issue - the fix being extremely similar to your recommendation except I used a static policy NAT. Your input has been extremely beneficial in helping me resolve the problem. Thank you for taking the time to look at this for me.
regards
Keith Newbould | Lead Technical Specialist - Networks | Technical & Resolver Group | UK Service Operations | BT Global Services |
This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email ( to the numbers or address above) immediately.
Activity and use of the British Telecommunications plc e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.
British Telecommunications plc. Registered office:81 Newgate Street London EC1A 7AJ. Registered in England no 1800000
11-25-2010 12:35 AM
Great to hear, Keith. Thanks for the ratings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide