Solved: Cisco ASA 9.4 NAT Help

telmember · ‎03-15-2018

hi all:

I need your help understanding how this would be done. I got the outside to inside working but require some fine tunning but more understanding around it. If some can put the commands for me that would be awsome

I have four interfaces

1 - Outside - security level 0 - 200.1.1.1/24 Connected to internet and public networks

2 - Inside - security level 100 - 192.168.1.100/24

3 - WEBServers - security level 50 -192.168.2.100/24

4 - APPS - security level 40 - 192.168.3.100/24

1) I would like to do the the following from source from Outside to Inside

Source: 131.1.1.1

Destination: 200.1.1.25

Source NAT: Orginal

Destination NAT: 10.42.1.1 (inside destination)

Service: 22

------------

object network ip_200.1.1.25
host 200.1.1.25

object network inside_server
host 10.42.1.1
nat (Inside,Outside) static ip_200.1.1.25

access-list EXTERNAL extended permit tcp any object ip_200.1.1.25 eq 22

I did this and it works but i would like Natting to be specfic to source instead if wide open to any

2) I would like to do the the following from APPS to Inside

Source: 192.168.3.100

Destination: 10.1.1.23 (via inside)

Source NAT: 192.168.1.23

Destination NAT: Original

Service: any

3) From APP and Webserver to Outside

Source: 192.168.3.11 and 192.168.2.11

Destination: 8.8.8.8

Source NAT: 200.1.1.2

Destination NAT: Original

Service: any

Francesco Molino · ‎03-16-2018

object network remote-src_131.1.1.1
host 131.1.1.1

object network ip_200.1.1.25
host 200.1.1.25

object network server_10.42.1.1
host 10.42.1.1

nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup

On this config, the nat is wrong.

You can test:

nat (Inside,Outside) source static server_10.42.1.1 ip_200.1.1.25 destination static remote-src_131.1.1.1 remote-src_131.1.1.1

The interface position is based on real ifc vs mapped ifc. This means that your real server is inside and you want it to be natted when communicating with outside networks. Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-15-2018

Hi

Here are my answers:

1. I believe you want to nat only for port 22.

The config will be:

object network src_host

host 131.1.1.1

object network inside_server

host 10.42.1.1

nat (Inside,Outside) static ip_200.1.1.25 service tcp 22 22

access-list EXTERNAL extended permit tcp object src_host object ip_200.1.1.25 eq 22

2.

object network src

host 192.168.3.100

object network dest

host 10.1.1.23

object network natsrc

host 192.168.1.23

nat (APPS,inside) source static src natsrc destination static dest dest no-proxy-lookup

3. Same as 2

object network srcapp

host 192.168.3.11

object network srcwebserver

host 192.168.2.11

object network srcnat

host 200.1.1.2

object network dest

host 200.1.1.2

nat (APPS,outside) source static srcapp srcnat destination static dest dest no-proxy-lookup

nat (WEBSERVER,outside) source static srcwebserver srcnat destination static dest dest no-proxy-lookup

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

telmember · ‎03-15-2018

Thank you Thank you Francesco:
Your input did help me understand the nat.

I have two further questions please.

1) Would this work as well for manual nat instead of auto nat for the destination nat ( same interface and security settings as originally posted above)

Requirement:
Source: 131.1.1.1
Destination: 200.1.1.25
Source NAT: Orginal
Destination NAT: 10.42.1.1
Service: 22

Solution:
object network remote-src_131.1.1.1
host 131.1.1.1

object network ip_200.1.1.25
host 200.1.1.25

object network server_10.42.1.1
host 10.42.1.1

nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup

========================

2) How are the order of interfaces is determined?

For example:
(inside, outside)

Is it always, from high security to low security? I mean when can it be (outside,inside)?

thank you again

Francesco Molino · ‎03-16-2018

object network remote-src_131.1.1.1
host 131.1.1.1

object network ip_200.1.1.25
host 200.1.1.25

object network server_10.42.1.1
host 10.42.1.1

nat (Inside,Outside) source static remote-src_131.1.1.1 remote-src_131.1.1.1 destination static ip_200.1.1.25 server_10.42.1.1 no-proxy-lookup

On this config, the nat is wrong.

You can test:

nat (Inside,Outside) source static server_10.42.1.1 ip_200.1.1.25 destination static remote-src_131.1.1.1 remote-src_131.1.1.1

The interface position is based on real ifc vs mapped ifc. This means that your real server is inside and you want it to be natted when communicating with outside networks. Is that clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Octavian Szolga · ‎03-16-2018

Hi,

Just a quick note regarding your config, first example.

You said that the first (static) NAT is working, but the ACL contains the NAT IP, not the real one (EXTERN ACL).

Nowadays, you have to use the real IP when doing ACLs, MPF, WCCP, etc.

Thanks,

Octavian