Solved: Re: inside,inside NAT on ASA

rschember1 · ‎08-02-2021

Hopefully my terminology is correct. I'm not a Cisco expert by any means.

I have an ASA5506 at SiteA listening on 10.10.1.1 and an ASA5506 at SiteB listening on 10.10.20.1 and a site-to-site VPN between the two.

I have another device at SiteA listening on 10.10.1.9 that will only respond to traffic on the same subnet. It will not route traffic to a gateway, so all traffic to and from this device must be on the 10.10.1.0/24 subnet.

What kind of NAT or PAT rule do I need to configure to get a device on the 10.10.20.0/24 subnet at SiteB to be able to communicate with this 10.10.1.9 device at SiteA?

Thanks in advance,

--Rob

Milos_Jovanovic · ‎08-19-2021

Hi @rschember1,

Your command looks ok, but you'll need to remove 'no-proxy-arp' part. Since there is no 'real' host behind these IPs, ASA must reply to ARP requests. If you use this command, you are telling ASA not to reply to ARP requests, so host can't send traffic at all.

On the other hand, I believe you don't need to create NAT rule on SiteB:

On SiteB, traffic already arrives from 10.10.1.9 destined to 10.10.20.9
SiteB has scope 10.10.20.0/24, and knows hot to route traffic to 10.10.1.0/24
From SiteB's standpoint, it will again forward back packet from 10.10.20.9 to 10.10.1.9
SiteA would de-NAT packet, by same rule, from 10.10.20.9 to 10.10.1.8

BR,

Milos

View solution in original post

Marvin Rhoads · ‎08-02-2021

You will have to update both ASA's "inside,outside" NAT rules. Choose an unused address in the SiteA 10.10.1.0 subnet that will map to the device at SiteB needing to talk. The on ASA A, the NAT rule is that traffic destined to that address translates the DESTINATION to the real address at SiteB. Likewise the NAT rule at SiteB is the mirror image - it translates the SOURCE from its real address to the mapped address in SiteA's network.

rschember1 · ‎08-03-2021

Hi Marvin --

Thank you for the reply, but I think I'm missing something here. I tried following your description and came up with the following two rules, but it doesn't allow traffic to flow and I'm not sure why.

SiteA:

If the source is 10.10.1.9 and the destination is the unused address 10.10.1.8, change the destination to 10.10.20.9

nat (inside,outside) source static obj-10.10.1.9 obj-10.10.1.9 destination static obj-10.10.1.8 obj-10.10.20.9 no-proxy-arp

SiteB:

If the source is 10.10.20.9 and the destination is 10.10.1.9, change the source to the unused 10.10.1.8

nat (inside,outside) source static obj-10.10.20.9 obj-10.10.1.8 destination static obj-10.10.1.9 obj-10.10.1.9 no-proxy-arp

Any help is appreciated.

--Rob

Milos_Jovanovic · ‎08-19-2021

Hi @rschember1,

Your command looks ok, but you'll need to remove 'no-proxy-arp' part. Since there is no 'real' host behind these IPs, ASA must reply to ARP requests. If you use this command, you are telling ASA not to reply to ARP requests, so host can't send traffic at all.

On the other hand, I believe you don't need to create NAT rule on SiteB:

On SiteB, traffic already arrives from 10.10.1.9 destined to 10.10.20.9
SiteB has scope 10.10.20.0/24, and knows hot to route traffic to 10.10.1.0/24
From SiteB's standpoint, it will again forward back packet from 10.10.20.9 to 10.10.1.9
SiteA would de-NAT packet, by same rule, from 10.10.20.9 to 10.10.1.8

BR,

Milos

rschember1 · ‎08-19-2021

Hi Marvin --

Are you able to help with my response above? I still haven't found a working solution.

Thanks,

--Rob