12-21-2015 04:33 AM - edited 03-12-2019 12:03 AM
I need some advice to done a NAT configuration on ASA. First of all, please see attached simple topology scheme.
The configuration of NAT is that all LOCAL LAN traffic of inside ASA side must be nat'ed to 10.52.13.0/24 subnet when the destination traffic is BCC LAN (10.206.43.64/28).
All the LOCAL LAN connection going to address 10.52.13.0/24 must be nat'ed to this subnet and then must be no nat statement to BCC subnet but BCC must only know the 10.52.13.0 subnet.
I tested with this rule on ASA
nat (outside,inside) source static 10.206.43.64 10.52.13.0 destination static 10.52.7.0 10.52.7.0
This statement works only when on BCC LAN router/firewall are added in crypto map policy ASA's LOCAL LAN subnet. If policy has 10.52.13.0 subnet only, it's not working.
I spent a lot of time to accomplish this but without success. Does have any idea or advice to accomplish this solution.
Regards Kamil
12-21-2015 08:09 AM
The below articles explain in detail what you are trying to achieve, but you'll be looking use an access-list with the static NAT to allow the NAT'ing.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html#wp1074755
The code will look something like this:
e.g.
# access-list ip permit 10.52.13.0 255.255.255.0 10.206.43.64 255.255.255.240
# static (inside,outside) 10.52.13.0 10.52.7.0 netmask 255.255.255.0 access-list LAN-TO-BCC
12-21-2015 08:54 AM
Chris, thanks for your replay but I have ASA 9.4.2 version and I couldn't use ACL's in NAT rule.
12-22-2015 05:46 AM
Understood. you will be looking at this article then:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html
Specifically this section 'Different Translation Depending on the Destination Address and Port (Dynamic PAT)'.
Follwing this example, your code will look something like:
Step 1 Add a network object for the inside network:
hostname(config)# object network LOCALLAN
hostname(config-network-object)# subnet 10.52.7.0 255.255.255.0
Step 2 Add a network object for the Other LAN server:
hostname(config)# object network BCCLAN
hostname(config-network-object)# subnet 10.206.43.64 255.255.255.240
Step 3 Add a network object for the NAT address when reaching BCCLAN:
hostname(config)# object network NAT-Trans
hostname(config-network-object)# subnet 10.52.13.0 255.255.255.0
Step 4 Configure the first twice NAT rule:
hostname(config)# nat (inside,outside) source dynamic LOCALLAN NAT-Trans
destination static BCCLAN BCCLAN
Because you do not want to translate the destination address or port, you need to configure identity NAT for them by specifying the same address for the real and mapped destination addresses, and the same port for the real and mapped service.
12-22-2015 11:24 AM
The example above is used to allow temporarily the connection to BCCLAN.
My huge issue is that network 10.206.43.64/28 is used in my WAN network and that is the reason to hide this behind 10.52.13.0/24 addresses. So, all WAN connection going to 10.52.13.0/24 address must be translated to BCCLAN.
The BCC site must only know network 10.52.13.0/24.
I tested also with following example but I do not have any hints in second nat rule.
object network LOCALLAN
nat (inside,inside) source static NAT-Trans
nat (inside,outside) after-auto source static NAT-Trans NAT-Trans destination static BCCLAN BCCLAN.
I suppose that is not possible to accomplish NAT configuration on ASA like this, where the 'virtual address' is 10.52.13.0/24 and all connection with the destination to this address will be translated to BCCLAN.
I think I found the solution to close this case. On one of the WAN routers I'll translate all connection going to BCCLAN to 10.52.13.0 address and the second NAT rule on ASA (no nat).
12-23-2015 12:25 AM
If you are happy I will stop investigating, but you should be able to perform the following on the ASA.
1. NAT the LAN to the pool
2. Route only the pool over to the BCC LAN
If you want us to continue looking at the issue please say so.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide