Solved: Cisco ASA NAT

CSCO10675262_2 · ‎10-18-2011

Hi,

I have an ASA firewall and I am trying to understand the concept when ASA performs NAT from inside to outside. For example, if a host on the inside of the firewall were to access networks outside of the firewall multiple hops away, the ip address would be nated based on the configuration. However, if the host would like to access the network outside of the ASA (same subnet of the outside interface of the ASA), based on packet capture I dont seems to see any nat being performed. Instead it makes use of the internal ip address of the host. I was wondering if there may be additional configuration which may be used to ensure that the ASA performs the NAT even though hosts inside the ASA are access clients outside of the ASA but on the same subnet of the ASA outside interface. I have illustrate the diagram below :

10.0.0.0/24 (outside)---Layer 3 switch(20.0.0.1/22)--(20.0.0.2/22, Outside interface of ASA)--ASA--192.168.1.1/24(Inside interface of ASA)----PCs/hosts

The following confgiurations has been applied:

object network obj-20.0.3.10
host 20.0.3.10

object network obj-192.168.1.10
host 192.168.1.10

object network obj-192.168.1.10
nat (Inside,Outside) static obj-20.0.3.10

When the clients tries to access 10.0.0.0/24, I could see it being nated to 20.0.3.10. However, when the clients tries to access other devices on 20.0.0.0/22, I dont see any nating being performed. I am seeing the actual host ip address(192.168.1.10) accessing the 20.0.0.0/22 subnet. I was wondering if there may any configuration required to perform the nating even though the client is accessing 20.0.0.0/22?

Thanks.

varrao · ‎10-18-2011

Hi,

Can you post the output of show run nat from ASA?? The 20.0.0.0/22 subnet, is that hanging off the L3 switch???

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-18-2011

Hi,

Can you post the output of show run nat from ASA?? The 20.0.0.0/22 subnet, is that hanging off the L3 switch???

Varun

Thanks,
Varun Rao

CSCO10675262_2 · ‎10-18-2011

Hi Varun,

I have attached the show configuration of the nat(I have removed some of it as it is repetition of static nat):

object network PAT
host 20.0.1.254

object network obj-20.0.0.0
subnet 20.0.0.0 255.255.252.0

object-group network Svr
network-object 20.69.5.150 255.255.255.255
network-object 20.69.5.152 255.255.255.255
network-object 20.69.160.252 255.255.255.255

object network obj-192.168.1.0
nat (Inside,Outside) dynamic PAT

object network is0
nat (Inside,Outside) static 20.0.0.20

object network is1
nat (Inside,Outside) static 20.0.0.30
.
object network obj-192.168.1.10

nat (Inside,Outside) static obj-20.0.3.10
.
.

nat (Inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static Svr Svr unidirectional
nat (Inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-20.0.0.0 obj-20.0.0.0 unidirectional

You are correct that the 20.0.0.0/22 is hanging on the layer 3 switch. Not too sure if additional configuration is required to cause nat to occur when inside hosts tries to access 20.0.0.0/22 from 192.168.1.0? The code being used is 8.3(2).

Thanks.

CSCO10675262_2 · ‎10-19-2011

Didnt realize that I had the following statements:

nat (Inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static Svr Svr unidirectional
nat (Inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-20.0.0.0 obj-20.0.0.0 unidirectional

Thanks for the assistance.