How to NAT to multiple interfaces in 8.3? Best Practice ?

Mohamed Hamid · ‎01-16-2013

Hi Guys

Having upgraded to 8.3 from 8.2 I and read much about the differences , it seems that 8.3 deals with NAT in a much more managed method.

However I am confused on how one would NAT a network object to multiple interfaces?

i.e I know you can specficy a NAT adddress within the network object howeveer this only allows you to specific a single IP addres.

What if I want to talk accross multiple interfaces how would I specify this?

Kind Regards

Jouni Forss · ‎01-16-2013

Hi,

I guess this question is also related to the problems you posted about in another post?

Would it be possible to have a look at your 8.2 format configurations to get a clear picture of your NAT configuration needs? Could perhaps give some information on how I would personally go about changing the rules if I were to manually migrate them from 8.2 to 8.3

IF you can share the configurations can you please atleast temporarily disable the "names" configuration in the ASA so that the IP addresses arent being replaced by the "name" configurations. It would make going through the NAT configurations a lot easier.

On a side note..

In the new 8.3 and newer software levels you can specify NAT source or destination interface as "any". This is good for situations where you want one NAT rule to apply towards many interfaces. In a sense you could perhaps NAT a single local address to a single NAT address towards any other interface on the ASA.

This can be risky though if you dont carefully go through your setup. This might even "break" something if the same host SHOULDNT be NATed towards some interface.

- Jouni

Mohamed Hamid · ‎01-16-2013

Hi Jouni

Thank you again for your reply, yes it is related to ther other problem , I noticed that the migration script created 5 object networks each with their specified NAT rules for the required interfaces. Although PING traffic seems to be going through and it is NATing on the required IP for that interface, traffic is stilll not returning.

In fact regarding your point I changed one of the NAT rules to "Any" and it suddely was able to ping one of the interfaces based on a NAT translation for another interface.

However I would prefer to have more control of the NATs and rather the server NATed to an IP for each interface? Unless you believe this is not the best practice I am willing to follow best methods

Ps. How do I temp disable the names config?

Much appreciated

Mohamed

Jouni Forss · ‎01-16-2013

Hi,

I you have the 8.2 configuration running on some ASA then I think you can use the "no names" command to make it so that the ASA wont replace IP addresses in configurations with the names configured in the "name" configuration lines. You can re-enable the previous setting with the command "names"

As I'm always paranoid I would suggest issuing the command "show run" and then copying all of your "names" "name" configuration lines just in case. They are located at the very beginning of the ASA configurations.

Sadly I cant say what the ASA has done with the command migration when updating from 8.2 to 8.3. This is because I have never done this for any of our environments. And the main reason for this is that I want to know EXACTLY whats configured on the ASAs and how the NAT should operate. So far this approach hasnt let me down.

- Jouni

Mohamed Hamid · ‎01-16-2013

I cannot post the full config however I have attempted to selectively post parts of my nat config from 8.2

Also attached is a simply diagram of my network you will see two firewalls and the two hosts I am trying to get talking in 8.3. The host behind the ASA NAted perfecetly fine to 10.1.2.40 and in the outer firewall I specifed a route to allow access from that IP to sepcifed host on the 10.1.4.1 network

global (10.0.0.1) 1 interface

nat (10.0.0.1) 0 access-list noNAT

static (10.0.0.1,10.1.2.3) 10.1.2.40 10.0.0.40 netmask 255.255.255.255

Kind Regards

Jouni Forss · ‎01-16-2013

Hi,

Just a small confirmation/check from my part.

Does the host 10.1.4.26 have any kind of NAT towards the host 10.0.0.40?

Or is it supposed to be visible to the other host with its original IP address?

In other words NAT is done for host 10.0.0.4 BUT NOT for host 10.1.4.26

- Jouni