Re: NAT help on ASA/Pix - need to change source IP due to overla

jamesgonzo · ‎05-30-2009

Hi,

I've not had any luck with this. I have an ASA with a sub-interface to a switch and from the switch I have a VLAN where a router sits to our remote office. It is not a VPN just a lease line via serial.

My LAN is on 192.168.3.0/24 and the remote network is 10.100.0.32/27

When 192.168.3.0 connects to 10.100.0.32/27 I want the 192.168.3.0/24 range to change to 192.168.90.0/24

I have attached my basic ASA config, to try and get this NAT to work I added:

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 10.100.0.32 255.255.255.224

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,outside) 192.168.90.0 access-list policy-nat

Shoudl this of worked? I can ping 10.100.0.61 but it is still seeing me come from 192.168.3.0/24

Alan Huseyin Kayahan · ‎05-31-2009

Hello Aj,

Yes that should have worked, but one entry in your exempt NAT statement prevents this.

access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

Above line, by the native NAT processin order of ASA, is processed first, thats why trafic never reaches your policy NAT. Remove it by

no access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

following is not necessary either

access-list Inside_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 10.100.0.32 255.255.255.224

remove it

Add only the following

access-list policy-nat extended permit ip 192.168.3.0 255.255.255.0 10.100.0.32 255.255.255.224

static (inside,outside) 192.168.90.0 access-list policy-nat

Make sure remote site has a route for 192.168.90.0 pointing your end.

Finally, do not test this with ping, use tcp instead, for example try to establish Remote desktop, then in remote server, run netstat -an and you will see established connection's source IP and port

Regards

jamesgonzo · ‎06-01-2009

Damn, I must be missing something.

Thanks for finding the time to help me, once fixed I will definately rate this.

I have added what you mentioned and still no luck, I have attached the 2 updated configs for the firewall and remote router plus a simple diagram. I hope this helps.

This is the "sh nat" output on the firewall:

mypix# sh nat

NAT policies on Interface Inside:

match ip Inside 192.168.3.0 255.255.255.0 Outside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Outside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 Inside 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 192.168.2.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip Inside 192.168.3.0 255.255.255.0 DMZ3 172.16.1.0 255.255.255.252

NAT exempt

translate_hits = 3, untranslate_hits = 4

match ip Inside 192.168.3.0 255.255.255.0 Outside 10.100.0.32 255.255.255.224

static translation to 192.168.90.0

translate_hits = 0, untranslate_hits = 0

match ip Inside any Outside any

dynamic translation to pool 1 (10.0.0.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip Inside any Inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip Inside any DMZ3 any

dynamic translation to pool 1 (No matching global)

translate_hits = 211, untranslate_hits = 0

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 0

match ip Inside any DMZ3 any

no translation group, implicit deny

policy_hits = 0

NAT policies on Interface DMZ3:

match ip DMZ3 192.168.2.0 255.255.255.0 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 10.100.0.32 255.255.255.224 Outside 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 192.168.2.0 255.255.255.0 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 10.100.0.32 255.255.255.224 DMZ3 192.168.3.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip DMZ3 any Outside any

no translation group, implicit deny

policy_hits = 0

mypix#

Alan Huseyin Kayahan · ‎06-03-2009

Aj,

According to the diagram you posted, DMZ3 interface is the one which connects to remote subnet, not outside interface. So static should be modified as following

no static (Inside,Outside) 192.168.90.0 access-list policy-nat

static (Inside,DMZ3) 192.168.90.0 access-list policy-nat

As far as I remember, ASA may not be advertising 192.168.90.0 network to upstream router since it doesnt have an interface on that subnet. Can you confirm that by checking route table in your 2620?

Kureli Sankar · ‎06-03-2009

ASA will proxy arp for all the globals that it owns unless proxy arp is turned off with the sysopt command. In this case it will proxy arp for 192.168.90.0 subnet even when we do not have an interface configured on that subnet.

Alan Huseyin Kayahan · ‎06-03-2009

Proxying arp entries ,responding to arp queriers, and advertising routes are two different things. Proxy ARP wont help ASA to advertise the routes that it doesnt have, which is the translated subnet in our case.

Aj,

Most probably, upstream router doesnt have a route for 192.168.90.0 subnet. If i am right, then assign 192.168.90.254 ip address to an empty interface of ASA (eth3 or another subinterface that doesnt have any connection to anywhere, just enable the interface). Then check if a route entry for 192.168.90.0 appears in upstream routetable

jamesgonzo · ‎06-03-2009

Thanks finding the time again to help me here.

Couldn't I just add the 192.168.90.0 subnet to RIP on the ASA like I have the other networks?

Alan Huseyin Kayahan · ‎06-03-2009

As a matter of fact, you do have the answer for that question already. What is different between the routes that are advertised correctly and the routes that dont appear at upstream router?

1)Are subnets entered under router rip correctly?

router rip

network 10.0.0.0

network 192.168.2.0

network 192.168.3.0

network 192.168.90.0

version 2

no auto-summary

Yes they are

2)Which routes appear correctly?

"RIP on the ASA like I have the "!other networks!""

Which are these other networks "just added"

network 10.0.0.0

network 192.168.2.0

network 192.168.3.0

Which route doesnt appear?

network 192.168.90.0

What is the difference in the config between those?

Answer: ASA has an interface in correctly advertised networks and doesnt have an interface in subnet that is not advertised

If that was a router, you could create a static route for that network pointing to null0 interface (self) and redistribute that static route into RIP, but as i remember, ASA doesnt support this.

Just create another subinterface such as 2.8, just give an ip and enable it. You dont need any nat configs cable connection etc.

jamesgonzo · ‎06-03-2009

husycisco,

I will attempt creting a new sub-interface for the 192.168.90.c network, is this all I have to do as you say "You dont need any nat configs cable connection etc."

I understand I just need to add it to rip? and add your NAT statement?

Alan Huseyin Kayahan · ‎06-03-2009

"I will attempt creting a new sub-interface for the 192.168.90.0 network, is this all I have to do "

Exactly, just set IP and enable it

"I understand I just need to add it to rip? and add your NAT statement? "

Exactly, remove current entry by no network 192.168.90.0 then set and enable sub-interface, then add it into rip. And add nat statement

jamesgonzo · ‎06-03-2009

I think I have to do a bit more, the subnet is now advertised to te remote router.

If I ping (from 192.168.3.20) 10.100.0.61 and on the router I have debug ip icmp I sees the traffic source as 192.168.3.x not 192.168.90.x.

Do I have to add ACL's to the ASA for 192.168.90.x

Do I have to add the 192.168.90.x subnet to the switch so the for the trunk?

Reason I ask is the remote network on 10.100.0.32/27 can ping 192.168.90.x, or does it have to?

Alan Huseyin Kayahan · ‎06-06-2009

couple of concerns here,

1) If Your new subinterface is visible via trunk and upstream router points 192.168.90.x (subinterface IP) as next hop for RIP route, this is bad. Please confirm that the next hop for RIP route 192.168.90.0 is not 192.168.90.x. Lets hope the responder to 90.* destined pings is DMZ3 interface by proxy-arp feature

2)I assume that translation is not taking place. Remove the static entry, remove the conditional nat ACL, then run "clear xlate" then run "clear local-host all" . Second, add the ACL and the static statement back, then run "clear xlate". Make sure your conditional NAT acl does not contain "any" statement. Submit soure and destination networks specifically.

3)To make sure our translation works, here is the command that you should run

capture PNAT interface DMZ3 real match ip 192.168.90.0 255.255.255.0 any

A live capture screen will open up (ctrl+c to exit). Then try to ping from an inside host (192.168.3.0) a destination client in 10.100.0.32/27 . If some text appears, that means translation is working.

Finally, try testing with tcp rather than PINGs, for example try telnetting or remote desktop to a server and check netstat -an to see source

Alan Huseyin Kayahan · ‎06-10-2009

any update on this?

NAT help on ASA/Pix - need to change source IP due to overlapping networks