05-01-2018 01:45 AM - edited 02-21-2020 07:41 AM
I have two zones in firewall Zone-1 and Zone-2.
One Server is connected in Zone-1 192.168.1.15. Two desktop are connected in Zone-2 with different subnet/vlan (Desktop-1 10.14.3.150/24 and Desktop-2 20.14.3.150). Both Desktop are able to reach the Server's original IP.
Is it possible to access Server's both IPs (Original and Natted) from both Desktops at the same time.
Currently there is no NAT configuration in the ASA 9.6
If doing static nat, only one IP is reachable at that time.
05-01-2018 02:06 AM
It is possible to do this but it will require NAT in both directions and can become quite complicated / difficult to manage and troubleshoot. I would not recommend doing this unless you have a very good reason for doing so.
You would need to set up two NAT for each PC. One NAT going from the server to the PCs for the NATed IP and one from the PC to the real IP. Using PC 1 as an example, and assuming the interface names on the ASA are zone1 and zone2.
object network PC1_REAL_IP
host 10.14.3.150
object network PC1_NAT_IP
host 11.14.3.15
object network SERVER_REAL_IP
host 192.168.1.15
objecet network SERVER_NAT_IP
host 172.16.1.15
nat (zone1,zone2) source static SERVER_REAL_IP SERVER_NAT_IP destination static PC1_REAL_IP PC1_REAL_IP
nat (zone1,zone2) source static SERVER_REAL_IP SERVER_REAL_IP destination static PC1_NAT_IP PC1_REAL_IP
In this scenario the PC can access the server using both NAT IP and real IP, When using the NAT IP of the server the server sees the PC with the PC's real IP, but when using the server's real IP the server sees the PC with the PCs NATed IP.
Keep in mind that this example only describes the NAT, access lists will still need to be added to allow the traffic.
05-01-2018 03:32 AM
Hi Marius,
Actually I am upgrading ASA from 8.2 to 8.4.
In 8.2 there are 2 NAT entries:
static (Zone-1,Zone-2) 192.168.1.1 192.168.1.1 netmask 255.255.255.0
static (Zone-1,Zone-2) 172.16.1.15 192.168.1.15 netmask 255.255.255.255
Is it possible to achieve same thing with these two entries.
05-01-2018 05:37 AM - edited 05-01-2018 05:39 AM
They are actually not even require in 8.2 unless you have "nat control" enabled, which I am assuming you have since they are there, or there are other dynamic NATs that you are trying to override. A better solution for 8.2 would be do use NAT exempt statement, but that is for another discussion.
nat control is removed from the configuration as of 8.3 and later. These commands just nat the IP address to itself. Is it possible yes to do in 9.x, ofcourse, but you should have a good reason for doing so.
05-04-2018 04:03 AM
Hi Marius,
8.2 ASA has an entry:
static (MPLS,SERVER) 10.31.2.0 10.31.2.0 netmask 255.255.255.224
static (DMZ,PRODUCTION) 192.168.13.32 192.168.13.32 netmask 255.255.255.224
If convert same entry in 8.4 it would be:
object network 10.31.2.0
subnet 10.31.2.0 255.255.255.224
nat (MPLS,SERVER) static 10.31.2.0
object network 192.168.13.32
subnet 192.168.13.32 255.255.255.224
nat (DMZ,PRODUCTION) static 192.168.13.32
I am confuse here because in first statement a subnet is natted with network address (10.31.2.0) and in second statement a subnet is natted with single IP (192.168.13.32).
Are above nat statements correct? What will happen during the communication in both statements..
I am trying to override some other dynamic entry hare during migration form 8.2 to 8.4.
05-04-2018 05:50 AM
yes, those commands will give the same result as the commands from 8.2 version.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: