Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
5
Helpful
4
Replies

NAT backend behind inside routed network for outside access

Go to solution
gerardoairaldi
Level 1
Level 1

‎09-09-2018 06:21 AM - edited ‎02-21-2020 08:12 AM

the scenario is this , asa running ios 9.8 , with public internet interface, lets called INET_IF , then as an internal interface a  INTERNAL-10.68.89.210    255.255.255.192  ( asa ip is 210) , then , behind this network, and via a gateway, i can reach 10.67.237.17/32 host , asa probe port access the backend correctly cause it uses his identity interface to ping .

 

ping tcp 10.67.237.17 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.67.237.17 port 80
from 10.68.89.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms

 

The things is ..that backend webserver ONLY accepts traffic from  INTERNAL-10.68.89.192/26 network

and i now that i can do Nat like this 

object network NAT_PUBLIC_TO_10.67.237.17

host 10.67.237.17

nat (lan_if,INTERNET_if) static %some_public_ip_that_i_have  

But this setup, in packet capture shows me traffic entering the lan_interface with the public IP of the client trying to reach de Webserver , so, how can i masquerade or DOuble nat somewhere , so that traffic  in packet capture on LAN_IF i shows me traffic from 10.68.89.192/26 instead of public address trying to reach webserver at 10.67.237.17 ?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎09-09-2018 11:35 PM

Hello,

 

In this case, you can PAT the internet based clients accessing your web server to the inside interface.

So, when a client on internet (x.x.x.x) hits the ASA on the public ip address of the webserver, the source shall translate from x.x.x.x to 10.68.89.210 and destination untranslate from public ip to 10.67.x ip address. The NAT should like something like this:

 

NAT (outside,inside) source dynamic any interface destination static <public ip of server> <real ip>

 

remove the other NAT and try it and hopefully it should work. This might break the outbound connection from the web server to internet but if that is needed, some other tweak might be needed. Just for internet to web server using the inside interface, this should work.

 

Hope it makes sense.

 

Regards,

 

AJ

 

View solution in original post

4 Replies 4

Go to solution
Ajay Saini
Level 7
Level 7

‎09-09-2018 11:35 PM

Hello,

 

In this case, you can PAT the internet based clients accessing your web server to the inside interface.

So, when a client on internet (x.x.x.x) hits the ASA on the public ip address of the webserver, the source shall translate from x.x.x.x to 10.68.89.210 and destination untranslate from public ip to 10.67.x ip address. The NAT should like something like this:

 

NAT (outside,inside) source dynamic any interface destination static <public ip of server> <real ip>

 

remove the other NAT and try it and hopefully it should work. This might break the outbound connection from the web server to internet but if that is needed, some other tweak might be needed. Just for internet to web server using the inside interface, this should work.

 

Hope it makes sense.

 

Regards,

 

AJ

 

Go to solution
gerardoairaldi
Level 1
Level 1
In response to Ajay Saini

‎09-10-2018 07:07 AM

that works like a charm ! , now , if i wanna also connect from that internal , to INTERNET , can i apply same logic ?
like NAT (inside,outside ) source dynamic object-10.67.237.17 object-%publicIP destination static <%publicIP> <object-10.67.237.17> , i mean , can they co-exist?
0 Helpful

Go to solution
gerardoairaldi
Level 1
Level 1
In response to gerardoairaldi

‎09-10-2018 09:26 AM

applied same logic to outside traffic and works also , thank U !
0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to gerardoairaldi

‎09-10-2018 11:14 PM

Happy to help :)

 

-

AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card