Re: Doubt about correct NAT setup

tr_onlinepos_dk · ‎12-20-2019

Hi.

I beleave that my NAT setup is not optimal and/or correct - but works

I have one wish: i need to see orginal host ip on other subnet

I have 3 subnets connected thru ASA 5506. (simplified)

They are routed using eigrp.

1) 192.168.16.0/16 - Orginal "Core" net with servers - Connects everywhere

2) 10.10.20.0/24 - Support_Net - Connects to outside and Core

3) 10.10.60.0/24 - Lager_Net - Connects to outside and Core

I have these NAT rules today - Are the correct and optimal for intersubnet communication with orginal host ip visable

Here are NAT rules:

1 (Terminal_Net) to (outside) source dynamic any interface
  translate_hits = 13107, untranslate_hits = 2
  Source - Origin: 0.0.0.0/0, Translated: x.x.x.x./30
2 (Terminal_Net) to (Core_Link_1) source static any interface unidirectional
  translate_hits = 241, untranslate_hits = 0
  Source - Origin: 0.0.0.0/0, Translated: 192.168.20.1/20
 
3 (Lager_Net) to (outside) source dynamic any interface
  translate_hits = 191, untranslate_hits = 6
  Source - Origin: 0.0.0.0/0, Translated: x.x.x.x./30
4 (Lager_Net) to (Core_Link_1) source static any interface unidirectional
  translate_hits = 241, untranslate_hits = 0
 Source - Origin: 0.0.0.0/0, Translated: 192.168.20.1/20

5 (Core_Link_1) to (outside) source dynamic any interface
  translate_hits = 4651, untranslate_hits = 1
  Source - Origin: 0.0.0.0/0, Translated: x.x.x.x./30

Rob Ingram · ‎12-20-2019

Hi,
Any reason why have you configured "unidirectional" on some of your NAT rules?

On the NAT rules from Terminal_Net to Core_Link_1 and Lager_Net to Core_Link_1 you are natting traffic behind the interface. If you want to ensure that traffic between those networks is not natted (therefore you see the original IP addresses) you should configure a NAT exemption rule.

E.g - "nat (INSIDE,OUTSIDE) source static LAN LAN destination static REMOTE REMOTE no-proxy-arp"

You can use packet-tracer to determine if the correct NAT rules are matched.

HTH