Actually,

This might be closer to the truth

object network PUBLIC-GLOBAL

host 1.1.1.1

object network PUBLIC-LOCAL

host 10.10.10.100

object network PUBLIC

host 2.2.2.2

object network LOCAL-LAN

subnet 10.10.10.0 255.255.255.0

nat (inside,outside) source dynamic LOCAL-LAN PUBLIC destiantion static PUBLIC-LOCAL PUBLIC-GLOBAL

Where

• PUBLIC-GLOBAL = Is the actual real "outside" IP address
• PUBLIC-LOCAL  = Is the NATed "outside" IP address when connecting to network  LOCAL-LAN. The NAT IP in question is from the same network as "inside"
• LOCAL-LAN = Is the network on the "inside"
• PUBLIC = Is the public IP visible to the public network for your hosts on the LOCAL-LAN

I configure for example the site www.google.fi to be reachable with the local IP address of 10.0.10.3 from my LAN

object network PUBLIC-GLOBAL

host 173.194.71.94

object network PUBLIC-LOCAL

host 10.0.10.3

object network LOCAL-LAN

subnet 10.0.0.0 255.255.255.0

object network PUBLIC

host x.x.x.x

nat (LAN,WAN) source dynamic LOCAL-LAN PUBLIC destination static PUBLIC-LOCAL PUBLIC-GLOBAL

ASA(config)# sh conn long

TCP WAN:173.194.71.94/80 (10.0.10.3/80) LAN:10.0.0.30/52404 (x.x.x.x/52404), flags UIO, idle 2s, uptime 3s, timeout 1h0m, bytes 2404

- Jouni

Jouni

Thanks for the reply

If I understand correctly the

object network PUBLIC-GLOBAL is the mapped addr at site A (I use the term Mapped to indicate it is outside addr provided by an ISP)

The object network PUBLIC-LOCAL

is the real addr (in this case the real addr is at site B) (real is the inside private network addr)

The

object network LOCAL-LAN is the inside LAN of site A.

Our goal is to allow people to access this server from outside via site A even though the server physically sits at site B.

It seems like a crazy request to us but site B is being phased out and this is a way to allow access until the server is moved to site A.

Hi,

I think your setup might actually be simpler and the above examples probably aint the thing you are looking for.

So let me see if I now understood this correctly

• Site A should provide the public IP address to which users connect to from Internet to reach the Site B server
• Site B is connected to Site A with a dedicated connection
• Site B is visible to the Site A with a certain private IP address range
• You want to NAT a Site A Public IP to a Site B private IP address

To my understanding this should just require a simple Static NAT between your Site A "outside" interface and the Site A ASA interface which leads to the Site B

For example if the following apply

• Site A Internet facing interface is "outside"
• Site A Site B facing interface is "mpls"
• Site B server local IP address is 10.10.10.10
• Site A public NAT IP for Site B server is 1.1.1.1

Then you could simply configure

object network STATIC

host 10.10.10.10

nat (mpls,outside) static 1.1.1.1

And naturally would have to make ACL rules on the "outside" interface to allow traffic.

Let me know if this was what you were after.

- Jouni

Jouni

You have stated this correctly.

So let me see if I now understood this correctly

• Site A should provide the public IP address to which users connect to from Internet to reach the Site B server  YES
• Site B is connected to Site A with a dedicated connection YES
• Site B is visible to the Site A with a certain private IP address range  YES
• You want to NAT a Site A Public IP to a Site B private IP address  YES

We are waiting on this site B to provide us with the addr of the server. As soon as we get that info we are going to code this as you suggested. We will let the fourm community know what the outcome is and rate accordingly.

One more question about the setup.

Does Site B have any other Internet connection other than through Site A? In other words, does the Site B have its own Internet connection?

If Site B has its own Internet connection then naturally it will route all traffic coming from public IP addresses out of its own Internet connection and this simple Static NAT wouldnt do the trick and we would actually have to resort to a bit more complicated NAT like in my first replys.

We would both have to

• NAT "any" source address behind the "outside" interface of Site A ASA to some PAT address or NAT Pool when they are connecting the public IP address of the Site B server
• We would also have to make sure that the Site B would have a route for the above mentioned PAT address / NAT Pool so return routing for the traffic coming from Site A would be correctly forwarded back to the Site A and out its Internet connection.

- Jouni

Site B does not have its own internet.

It uses the services of another site C which I guess is being proxied.

Where does the Site B default route point to?

Does it point towars Site A or Site C?

- Jouni

Site B points to site C for its default route.

Ok,

Well that means that in the current setup if we use the Static NAT at Site A then the following will happen

• User on the Internet tries to access the Site B server with the Site A public IP address
• Connections comes to Site A ASA and the connection/traffic is forwarded to the Site B
• Traffic arrives to the Site B server
• Server at Site B send the return traffic using the local default route through a different route than the one leading to Site A
• Connection will timeout as we are facing assymetric routing

This would mean that we would need to NAT both the Internet users source addresses and the Site B server IP address on the Site A ASA for this to work. We would also need to make sure that the IP address we NAT/PAT all the Internet users is routed from Site B to Site A so the traffic doesnt get sent to Site C like mentioned above.

object network SERVER-LOCAL

host

object network SERVER-PUBLIC

host

object network SERVER-SOURCE-PAT

host

nat (outside,mpls) source dynamic any SERVER-SOURCE-PAT destination static SERVER-PUBLIC SERVER-LOCAL

Furhermore we would need to confirm that the IP address under the SERVER-SOURCE-PAT has a route at Site B pointing towards Site A and therefore doesnt get routed towards Site C.

- Jouni

Jouni

I am unsure about one item

object network SERVER-SOURCE-PAT

host

This addr would be our isp provided addr correct?

This is what I have for outside for pat

object network outside

host 31.xx.xx.xxx

Then on the site B side I would need a ip route statement in the L3 switch?

ip route 10.92.3.3 255.255.255.255 31.xx.xx.xxx ?

Hi,

The IP address under "object network SERVER-SOURCE-PAT" is a random IP address of your choosing. This will be the IP address to which every host on the Internet is NATed to when they try to access the Site B server using the IP address under the "object network SERVER-PUBLIC" IP address.

The purpose of this Dynamic PAT configuration for all Internet hosts when connecting to Site B server is that we only need a route for this PAT IP address on the Site B pointing to Site A.

Consider the situation where we only do a Static NAT for the Site B server. Site B server will see connections coming to it from the public IP addresses directly which can be basically anything. And naturally return traffic for these connections will follow the default route from the Site B server towards Site C.

Now when we consider the situation where we are doing Dynamic PAT to the Internet hosts on Site A then the Site B server will see all the connections coming to it from only a single PAT IP address and it will be easy to configure return route for that PAT IP address towards Site A and get the connections working.

Hope I made any sense.

- Jouni

Hi,

Here is a quick picture I made about the setup. How I understood your situation and how the NAT would work

Click to enlarge

- Jouni

Jouni

Thanks for all the help.

The route that I would use on site B pointing back to site A using your map would be this

ip route 10.10.10.10 255.255.255.255 2.2.2.2?