Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2591
Views
0
Helpful
5
Replies

Double NAT and NO NAT on ASA

wkamil123
Level 1
Level 1

‎12-21-2015 04:33 AM - edited ‎03-12-2019 12:03 AM

I need some advice to done a NAT configuration on ASA. First of all, please see attached simple topology scheme.

The configuration of NAT is that all LOCAL LAN traffic of inside ASA side must be nat'ed to 10.52.13.0/24 subnet when the destination traffic is BCC LAN (10.206.43.64/28).

All the LOCAL LAN connection going to address 10.52.13.0/24 must be nat'ed to this subnet and then must be no nat statement to BCC subnet but BCC must only know the 10.52.13.0 subnet.

I tested with this rule on ASA

nat (outside,inside) source static 10.206.43.64 10.52.13.0 destination static 10.52.7.0 10.52.7.0

This statement works only when on BCC LAN router/firewall are added in crypto map policy ASA's LOCAL LAN subnet. If policy has 10.52.13.0 subnet only, it's not working.

I spent a lot of time to accomplish this but without success. Does have any idea or advice to  accomplish this solution.

Regards Kamil

1 person had this problem
Labels:
0 Helpful
5 Replies 5

chris noon
Level 1
Level 1

‎12-21-2015 08:09 AM

The below articles explain in detail what you are trying to achieve, but you'll be looking use an access-list with the static NAT to allow the NAT'ing.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html#wp1074755

The code will look something like this:

e.g. 

# access-list ip permit 10.52.13.0 255.255.255.0 10.206.43.64 255.255.255.240

static (inside,outside) 10.52.13.0 10.52.7.0 netmask 255.255.255.0 access-list LAN-TO-BCC

0 Helpful

wkamil123
Level 1
Level 1
In response to chris noon

‎12-21-2015 08:54 AM

Chris, thanks for your replay but I have ASA 9.4.2 version and I couldn't use ACL's in  NAT rule.

 

0 Helpful

chris noon
Level 1
Level 1
In response to wkamil123

‎12-22-2015 05:46 AM

Understood. you will be looking at this article then:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html

Specifically this section 'Different Translation Depending on the Destination Address and Port (Dynamic PAT)'.

Follwing this example, your code will look something like:

Step 1 Add a network object for the inside network:

hostname(config)# object network LOCALLAN
hostname(config-network-object)# subnet 10.52.7.0 255.255.255.0

Step 2 Add a network object for the Other LAN server:

hostname(config)# object network BCCLAN
hostname(config-network-object)# subnet 10.206.43.64 255.255.255.240

Step 3 Add a network object for the NAT address when reaching BCCLAN:

hostname(config)# object network NAT-Trans
hostname(config-network-object)# subnet 10.52.13.0 255.255.255.0

Step 4 Configure the first twice NAT rule:

hostname(config)# nat (inside,outside) source dynamic LOCALLAN NAT-Trans
destination static BCCLAN BCCLAN

Because you do not want to translate the destination address or port, you need to configure identity NAT for them by specifying the same address for the real and mapped destination addresses, and the same port for the real and mapped service.

0 Helpful

wkamil123
Level 1
Level 1
In response to chris noon

‎12-22-2015 11:24 AM

The example above is used to allow temporarily the connection to BCCLAN.
My huge issue is that network 10.206.43.64/28 is used in my WAN network and that is the reason to hide this behind 10.52.13.0/24 addresses. So, all WAN connection going to 10.52.13.0/24 address must be translated to BCCLAN.
The BCC site must only know network  10.52.13.0/24.

I tested also with following example but I do not have any hints in second nat rule.

object network LOCALLAN
nat (inside,inside) source static NAT-Trans
nat (inside,outside) after-auto source static NAT-Trans NAT-Trans destination static BCCLAN BCCLAN.

I suppose that is not possible to accomplish NAT configuration on ASA like this, where the 'virtual address' is 10.52.13.0/24  and all connection with the destination to this address will be translated to BCCLAN.

I think I found the solution to close this case. On one of the WAN routers I'll translate all connection going to BCCLAN to 10.52.13.0 address and the second NAT rule on ASA (no nat).

0 Helpful

chris noon
Level 1
Level 1
In response to wkamil123

‎12-23-2015 12:25 AM

If you are happy I will stop investigating, but you should be able to perform the following on the ASA.

1. NAT the LAN to the pool

2. Route only the pool over to the BCC LAN

If you want us to continue looking at the issue please say so.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card