04-03-2013 06:36 AM - edited 03-11-2019 06:23 PM
We are running asa ios 8.4 and would like to know if it possible to nat an outside addr at site A to an inside addr that is reached via mpls at site B?
Solved! Go to Solution.
04-03-2013 11:15 AM
Hi,
I still dont know the exact layout of your network.
The only route that the Site B needs is the route which tells where the PAT IP address is located. The PAT IP address that all the Internet users trough Site A are visible from.
So in your situation the route would be something like
ip route 2.2.2.2 255.255.255.255
And naturally the IP address 2.2.2.2 is just an example IP address. You can and probably should use something else.
Also I dont know how many hops there are between the 2 sites so you might need some configurations elsewhere also.
- Jouni
04-03-2013 06:46 AM
Hi,
I guess the basic format would be something like this
object network PUBLIC-GLOBAL
host 1.1.1.1
object network PUBLIC-LOCAL
host 10.10.10.100
object network LOCAL-LAN
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destiantion static PUBLIC-LOCAL PUBLIC-GLOBAL
Where
Though I am not sure if I have understood your setup correctly.
- Jouni
04-03-2013 07:04 AM
Actually,
This might be closer to the truth
object network PUBLIC-GLOBAL
host 1.1.1.1
object network PUBLIC-LOCAL
host 10.10.10.100
object network PUBLIC
host 2.2.2.2
object network LOCAL-LAN
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source dynamic LOCAL-LAN PUBLIC destiantion static PUBLIC-LOCAL PUBLIC-GLOBAL
Where
I configure for example the site www.google.fi to be reachable with the local IP address of 10.0.10.3 from my LAN
object network PUBLIC-GLOBAL
host 173.194.71.94
object network PUBLIC-LOCAL
host 10.0.10.3
object network LOCAL-LAN
subnet 10.0.0.0 255.255.255.0
object network PUBLIC
host x.x.x.x
nat (LAN,WAN) source dynamic LOCAL-LAN PUBLIC destination static PUBLIC-LOCAL PUBLIC-GLOBAL
ASA(config)# sh conn long
TCP WAN:173.194.71.94/80 (10.0.10.3/80) LAN:10.0.0.30/52404 (x.x.x.x/52404), flags UIO, idle 2s, uptime 3s, timeout 1h0m, bytes 2404
- Jouni
04-03-2013 07:09 AM
Jouni
Thanks for the reply
If I understand correctly the
object network PUBLIC-GLOBAL is the mapped addr at site A (I use the term Mapped to indicate it is outside addr provided by an ISP)
The object network PUBLIC-LOCAL
is the real addr (in this case the real addr is at site B) (real is the inside private network addr)
The
object network LOCAL-LAN is the inside LAN of site A.
Our goal is to allow people to access this server from outside via site A even though the server physically sits at site B.
It seems like a crazy request to us but site B is being phased out and this is a way to allow access until the server is moved to site A.
04-03-2013 07:18 AM
Hi,
I think your setup might actually be simpler and the above examples probably aint the thing you are looking for.
So let me see if I now understood this correctly
To my understanding this should just require a simple Static NAT between your Site A "outside" interface and the Site A ASA interface which leads to the Site B
For example if the following apply
Then you could simply configure
object network STATIC
host 10.10.10.10
nat (mpls,outside) static 1.1.1.1
And naturally would have to make ACL rules on the "outside" interface to allow traffic.
Let me know if this was what you were after.
- Jouni
04-03-2013 08:05 AM
Jouni
You have stated this correctly.
So let me see if I now understood this correctly
We are waiting on this site B to provide us with the addr of the server. As soon as we get that info we are going to code this as you suggested. We will let the fourm community know what the outcome is and rate accordingly.
04-03-2013 08:11 AM
One more question about the setup.
Does Site B have any other Internet connection other than through Site A? In other words, does the Site B have its own Internet connection?
If Site B has its own Internet connection then naturally it will route all traffic coming from public IP addresses out of its own Internet connection and this simple Static NAT wouldnt do the trick and we would actually have to resort to a bit more complicated NAT like in my first replys.
We would both have to
- Jouni
04-03-2013 08:15 AM
Site B does not have its own internet.
It uses the services of another site C which I guess is being proxied.
04-03-2013 08:19 AM
Where does the Site B default route point to?
Does it point towars Site A or Site C?
- Jouni
04-03-2013 08:34 AM
Site B points to site C for its default route.
04-03-2013 08:51 AM
Ok,
Well that means that in the current setup if we use the Static NAT at Site A then the following will happen
This would mean that we would need to NAT both the Internet users source addresses and the Site B server IP address on the Site A ASA for this to work. We would also need to make sure that the IP address we NAT/PAT all the Internet users is routed from Site B to Site A so the traffic doesnt get sent to Site C like mentioned above.
object network SERVER-LOCAL
host
object network SERVER-PUBLIC
host
object network SERVER-SOURCE-PAT
host
nat (outside,mpls) source dynamic any SERVER-SOURCE-PAT destination static SERVER-PUBLIC SERVER-LOCAL
Furhermore we would need to confirm that the IP address under the SERVER-SOURCE-PAT has a route at Site B pointing towards Site A and therefore doesnt get routed towards Site C.
- Jouni
04-03-2013 09:16 AM
Jouni
I am unsure about one item
object network SERVER-SOURCE-PAT
host
This addr would be our isp provided addr correct?
This is what I have for outside for pat
object network outside
host 31.xx.xx.xxx
Then on the site B side I would need a ip route statement in the L3 switch?
ip route 10.92.3.3 255.255.255.255 31.xx.xx.xxx ?
04-03-2013 09:26 AM
Hi,
The IP address under "object network SERVER-SOURCE-PAT" is a random IP address of your choosing. This will be the IP address to which every host on the Internet is NATed to when they try to access the Site B server using the IP address under the "object network SERVER-PUBLIC" IP address.
The purpose of this Dynamic PAT configuration for all Internet hosts when connecting to Site B server is that we only need a route for this PAT IP address on the Site B pointing to Site A.
Consider the situation where we only do a Static NAT for the Site B server. Site B server will see connections coming to it from the public IP addresses directly which can be basically anything. And naturally return traffic for these connections will follow the default route from the Site B server towards Site C.
Now when we consider the situation where we are doing Dynamic PAT to the Internet hosts on Site A then the Site B server will see all the connections coming to it from only a single PAT IP address and it will be easy to configure return route for that PAT IP address towards Site A and get the connections working.
Hope I made any sense.
- Jouni
04-03-2013 10:03 AM
Hi,
Here is a quick picture I made about the setup. How I understood your situation and how the NAT would work
Click to enlarge
- Jouni
04-03-2013 11:09 AM
Jouni
Thanks for all the help.
The route that I would use on site B pointing back to site A using your map would be this
ip route 10.10.10.10 255.255.255.255 2.2.2.2?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: