cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
633
Views
0
Helpful
5
Replies

NAT in ASA

Harmeet Singh
Beginner
Beginner

I have two zones in firewall Zone-1 and Zone-2.

One Server is connected in Zone-1 192.168.1.15. Two desktop are connected in Zone-2 with different subnet/vlan (Desktop-1 10.14.3.150/24 and Desktop-2 20.14.3.150). Both Desktop are able to reach the Server's original IP.

Is it possible to access Server's both IPs (Original and Natted) from both Desktops at the same time.

Currently there is no NAT configuration in the ASA 9.6

If doing static nat, only one IP is reachable at that time.

5 Replies 5

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

It is possible to do this but it will require NAT in both directions and can become quite complicated / difficult to manage and troubleshoot.  I would not recommend doing this unless you have a very good reason for doing so.

You would need to set up two NAT for each PC.  One NAT going from the server to the PCs for the NATed IP and one from the PC to the real IP.  Using PC 1 as an example, and assuming the interface names on the ASA are zone1 and zone2.

 

object network PC1_REAL_IP

  host 10.14.3.150

object network PC1_NAT_IP

  host 11.14.3.15

object network SERVER_REAL_IP

  host 192.168.1.15

objecet network SERVER_NAT_IP

  host 172.16.1.15

 

nat (zone1,zone2) source static SERVER_REAL_IP SERVER_NAT_IP destination static PC1_REAL_IP PC1_REAL_IP

nat (zone1,zone2) source static SERVER_REAL_IP SERVER_REAL_IP destination static PC1_NAT_IP PC1_REAL_IP 

 

In this scenario the PC can access the server using both NAT IP and real IP,  When using the NAT IP of the server the server sees the PC with the PC's real IP, but when using the server's real IP the server sees the PC with the PCs NATed IP.

 

Keep in mind that this example only describes the NAT, access lists will still need to be added to allow the traffic.

 

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

Actually I am upgrading ASA from 8.2 to 8.4.

 

In 8.2 there are 2 NAT entries:

 

static (Zone-1,Zone-2) 192.168.1.1 192.168.1.1 netmask 255.255.255.0

static (Zone-1,Zone-2) 172.16.1.15  192.168.1.15  netmask 255.255.255.255

 

Is it possible to achieve same thing with these two entries.

They are actually not even require in 8.2 unless you have "nat control" enabled, which I am assuming you have since they are there, or there are other dynamic NATs that you are trying to override.  A better solution for 8.2 would be do use NAT exempt statement, but that is for another discussion.

nat control is removed from the configuration as of 8.3 and later.  These commands just nat the IP address to itself.  Is it possible yes to do in 9.x, ofcourse, but you should have a good reason for doing so.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

 

8.2 ASA has an entry:

 

static (MPLS,SERVER) 10.31.2.0 10.31.2.0 netmask 255.255.255.224

static (DMZ,PRODUCTION) 192.168.13.32  192.168.13.32 netmask 255.255.255.224

 

If convert same entry in 8.4 it would be:

 

object network 10.31.2.0
subnet 10.31.2.0 255.255.255.224
nat (MPLS,SERVER) static 10.31.2.0

 

object network  192.168.13.32

subnet  192.168.13.32 255.255.255.224
nat (DMZ,PRODUCTION) static  192.168.13.32

 

I am confuse here because in first statement a subnet is natted with network address (10.31.2.0) and in second statement a subnet is natted with single IP (192.168.13.32).

 

Are above nat statements correct? What will happen during the communication in both statements..

 

I am trying to override some other dynamic entry hare during migration form 8.2 to 8.4.

yes, those commands will give the same result as the commands from 8.2 version.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers