NAT help on ASA

Andy White · ‎05-09-2011

Hello,

We have a 2 servers on the inside network.

Server A = 192.168.21.38

Server B = 192.168.28.128

If users try to go to 192.168.21.38 I want to NAT it to 192.168.28.128 instead. I have added a route on our routing table to push 192.168.21.38/32 to the ASA so the ASA can process the NAT. I'm using the ADSM and added a static NAT:

Interface: inside

IP: 192.168.21.38

Interface: inside

IP: 192.168.28.128

But it doesn't work

brquinn · ‎05-09-2011

What version of ASA? Do your users need to access Server B via both its real address and the Server A address? Can you please post the relevant parts of your configuration for analysis?

Thanks,

Brendan

varrao · ‎05-09-2011

Please explain your requirement in a detail. From where are the users going to access the server? Is it from the internet or from internal lan? If it is from the internet then it would be natted to a public ip which would be resolved into the real ip of the server.

I guess if you provide these details it would be easier.

Thanks,

Varun

Thanks,
Varun Rao

Andy White · ‎05-09-2011

Hello,

The server is based on the inside interface of the firewall as too are the users. Users can access the server fine by it's new IP address, but some old software on users desktops still likes to go to it's old IP address of 192.168.21.38. DNS doesn't work on this old software and the company no longer exists. So on our LAN routing table I thought I could route the old IP of 192.168.21.38 to the inside of the firewall the NAT it to 192.168.28.128 which is the new server which we cloned as a VM which also sits on the inside?

That way the old bit of software can get to the server on it's real IP of 192.168.28.128 and the old IP 192.168.21.38

Possible?

varrao · ‎05-09-2011

Andy,

We might need to u-turn the traffic in this case then, following should be the configuration:

static (inside,inside) 192.168.28.128 192.168.21.38 noranseq nailed

Nat (inside) 10 0

global (inside) 10 interface

sysopt noproxyarp inside

same-security-traffic permit intra-interface

This should work, because basically we are u-turning the traffic here.

Let me know if it helps you.

Thanks,

Varun

Thanks,
Varun Rao

brquinn · ‎05-09-2011

Generally speaking, you only want users to access a server via a single ip address. In order for this to work, you must configure overlapping NAT statements which is generally a bad idea. Note that prior to version 8.3, this configuration is not supported.

Based on your description, both the users and server are located off the inside interface. If this is the case, you need to account for several things.

1) Asymmetric Routing - You may have to NAT both the source and destination addresses. Otherwise, the replies from the server may not traverse the ASA and instead be sent directly to the client.

2) Hairpinning - this is a term for sending packets pack out the same interface they were received. Make sure 'same-security-traffic permit intra-interface' is in place.

3) Conflicting NAT rules - By default, the ASA will not nat your traffic. If you configure a NAT rule mapping the IP of ServerA to the IP of ServerB, then you need to think about what other traffic could also hit that rule.

In order to help you, we really need to know more about your existing NAT configuration, your interfaces, and your routing.

Thanks,

Brendan