Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
940
Views
0
Helpful
4
Replies

Having a NAT Problem

brian.emil.harris
Level 1
Level 1

‎06-09-2021 11:24 AM

So, in this particular configuration, I have an ASA connected to a cable modem, providing me a single static IP.

Cable modem gateway - 1.1.1.2 /30
ASA interface "outside" - 1.1.1.1 /30

I have a DMZ setup, with a single device in it:

ASA interface "dmz" - 2.2.2.1 /30
DMZ device - 2.2.2.2 /30

I need to allow the device in the DMZ to establish an IKEv2/IPSEC tunnel to AWS, and allow AWS to establish the same to the device.

When I try to Static NAT 2.2.2.2 to 1.1.1.1, the ASA won't let me:

  • [ERROR] nat (dmz-device,outside) static outside-IP
  • Address 1.1.1.1 overlaps with outside interface address.
  • ERROR: NAT Policy is not downloaded

What am I doing wrong in my NAT config / how do I properly NAT this?

Thank you!

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎06-09-2021 11:30 AM

@brian.emil.harris  try this, use "interface".

 

object DMZ-DEVICE
 host 2.2.2.2
 nat (dmz,outside) static interface

 

0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Rob Ingram

‎06-09-2021 01:03 PM

Thank you!

 

Should I be able to successfully packet-tracer this?

 

Specifically, from the peer IP of the AWS to the external IP/NAT of the interface, udp/500 and see it unwrap and send to the 2.2.2.2 host?

 

Because my packet-tracer is failing after the ACCESS-LIST, drop by implicit rule...

0 Helpful

Rob Ingram
VIP
VIP
In response to brian.emil.harris

‎06-09-2021 01:20 PM

Yes you can, you need to use the NAT ip address as the destination rather than the real IP address. Provide the output of the CLI for review.

How is your inbound ACL configured?

 

FYI, You'll also not be able to terminate a VPN on the outside interface as udp/500 is now in use by the NAT object.

0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Rob Ingram

‎06-09-2021 02:22 PM

Alright, so, issuing the NAT command as:

 

object network dmz-device
nat (dmz,outside) static interface

 

gives me:

 

[WARNING] nat (dmz,outside) static interface
All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

 

No problems there.

 

Packet tracer now works:

 

packet-tracer input outside udp 3.3.3.3 500 4.4.4.4 500 det

 

Packet allowed.  I don't know why it wasn't.  I blew away the NAT, recreated it, and just re-attemped the packet-tracer, and everything works as expected.

 

I'm going to leave it alone.

 

Thanks for the caveat about not being able to establish a VPN on that interface.  That shouldn't be a problem.  I've got another interface that all of my other S2S tunnels are on, this particular one involves a vendor's "closed" system necessitating the dedicated cable modem link/interface and using their device sitting in my DMZ as the VPN peer for that setup.

Thank you again!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card