Solved: Re: Nat problem on ASA.

ReneRasmussen · ‎11-10-2010

How do i do this..

I have following

1 Outside interface x.x.x.x public ips.

1 MPLS net interface. 172.17.1.0/24

1 Inside interface with some Win servers. 172.16.1.0/24

1 inside interface with som IBM servers. 172.16.2.0/24

The MPLS interface has a route to some other IBM servers i want to nat to.

Problem is,, they only have a return route to the Inside interface with the IBM Servers.

I want to Nat from the Inside interface with the Win servers using the IPs/interface with IBM servers. So that the MPLS networks machine can find it route back.

win server - > IP on IBM interface -> Thru mpls and back.

f.eks

172.16.2.10 is nattat to 172.16.1.10 and can go to mpls interface using this IP. so that i can get trafic back.

I also want to do same with an Public ip on the outside interface.. - mpls net over the IBM net.

How do i do this.

Kureli Sankar · ‎11-10-2010

Rene,

I haven't tested this but, here is what you can do.

nat (inside) 1 172.16.1.0 255.255.255.0

global (MPLS) 1 172.16.2.x

Pick an unused IP address in the 172.16.2.0/24 network.

You did mention that the inside guys are the ones to initiate traffic correct? Because with nat/global the MPLS side will only be able to respond but, they cannot initiate traffic to the pat address 172.16.2.x

I am assuming inside is of higher security than MPLS.

-KS

View solution in original post

Kureli Sankar · ‎11-11-2010

Rene,

I am not sure if I understand your requirement here. Seems like you are trying to do everything on the firewall when routes are supposed to be configured properly on the layer 3 devices outside of the firewall. This really isn't the right way to do things.

172.26.1.0/24 lives on the MPLS and a host on that network 172.26.1.10 needs to be accessed from the outside WAN using a 200.x.x.x address. But, when these outside hosts access this server in MPLS the source should actually look like they are coming from 172.16.2.x network. Is this correct?

You need the following:

static (MPLS,outside-WAN) 200.200.200.10 172.26.1.10 net 255.255.255.255

access-list WAN-to-MPLS permit ip any host 200.200.200.10

nat (outside-WAN) 10 access-list WAN-to-MPLS outside

global (MPLS) 10 172.16.2.x

Again find an unused IP address in the 162.16.2.x address. Also I am assuming outside-WAN is of lower level security than MPLS.

-KS

View solution in original post

Kureli Sankar · ‎11-12-2010

Sweet !

Sorry, I just assumed that with the way I rephrased your question - further explanation is not required.

Anyway here goes the explanation:

You need the following:

This - you understand standard static to translate the private IP to a public IP.

static (MPLS,outside-WAN) 200.200.200.10 172.26.1.10 net 255.255.255.255

This is to make all the sources on the outside to look like the 172.16.2.x when they try to reach 200.200.200.10. Because you said who ever egresses

the MPLS interface have to look like 172.16.2.x as that is the only route on that network.

You are looking to translate both - sources on high and low security interface translated.

access-list WAN-to-MPLS permit ip any host 200.200.200.10

nat (outside-WAN) 10 access-list WAN-to-MPLS outside

global (MPLS) 10 172.16.2.x

As always rate all the posts that helped you understand and/or resolve the probelm.

-KS

View solution in original post

Federico Coto Fajardo · ‎11-10-2010

Hi,

I don't fully understand your scenario, could you include a simple drawing?

Thank you,

Federico.

ReneRasmussen · ‎11-10-2010

I need to connect to 172.26.1.x using an ip on the 172.26.2.x, because there is only a route to that net from 172.26.1.0/24

I cannot change the route info on 172.26.1.0/24 net.

can i nat to an ip (172.26.2.100) that can reach 172.26.1.0/24?

Federico Coto Fajardo · ‎11-10-2010

If you need to access the 172.16.2.x from 172.16.1.x (and be seen as 172.16.2.x) you can do this:

nat (inside) 1 172.16.1.0 255.255.255.0

global (outside) 1 interface

Adjusting the correct interfaces...

You can do PAT and have the 172.16.1.0/24 be seen as the IP of the 172.16.2.x interface of the ASA.

Or you can do a static NAT:

static (in,out) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

Federico.

ReneRasmussen · ‎11-10-2010

I need to access 172.26.1.x , from 172.16.1.x but as a 172.16.2.x address, as there is only a return route to 172.16.2.0/24

/rene

Federico Coto Fajardo · ‎11-10-2010

If you need to access 172.26.1.x from 172.26.1.x you need to NAT on both sides.

This is because if you come say from 172.26.1.10 and try to send traffic to 172.26.1.x, the traffic will stay local and will never be sent to the remote network.

For this to work you need to NAT both side and establish the communication between translated subnets.

Federico.

Panos Kampanakis · ‎11-10-2010

You need to have enough ips in the 172.16.2.0/24 subnet for the 172.26.1.0/26 hosts in order to translate them to 172.16.2.0/24.

You could do "static (in1,in2) 172.16.2.0 172.26.1..0" but then you will not have access to the 172.16.2 mpls subnet. So you can put 1 to one statics for the 172.16.2.x hosts, not the whole subnets.

Depending on the security levels, you might be avle to do PAT

nat (in1) / global (in2), but that would only work if the in1 hosts initiate the connections to in2.

I hope it helps.

PK

ReneRasmussen · ‎11-10-2010

i cant edit/add to the 172.26.1.x net.. this is handle by 3rd party.. and they will not allow me to acces using any other network then the 172.16.2.0/24 net,

But i want to be able to reach 172.26.1.x from 172.16.1.x (which 172.26.1.x does not know of)

So when i try to connect to say 172.26.1.10, i want to Nat it so i looks like traffic comes from a 172.16.2.x address. 172.26.1.x does not initiate trafik the other way.

/Rene

Kureli Sankar · ‎11-10-2010

Rene,

I haven't tested this but, here is what you can do.

nat (inside) 1 172.16.1.0 255.255.255.0

global (MPLS) 1 172.16.2.x

Pick an unused IP address in the 172.16.2.0/24 network.

You did mention that the inside guys are the ones to initiate traffic correct? Because with nat/global the MPLS side will only be able to respond but, they cannot initiate traffic to the pat address 172.16.2.x

I am assuming inside is of higher security than MPLS.

-KS

ReneRasmussen · ‎11-10-2010

Thanks KS.. that Worked perfectly.

What do i do if i want an public ip from Outside interface nattet to 172.26.1.10 using a 172.16.2.x address.

So i can get access to the server on 172.26.1.10 from outside.

/Rene

Kureli Sankar · ‎11-11-2010

Rene,

Glad to hear that it worked perfectly. Pls. mark it answered.

Also, the outside IPs cannot reach 172.16.x.x. You are talking about outside using private address or literally the internet? If it is the internet then this is just not possible to reach RFC 1918 address space.

If the outside network is some 10.x or 192.x or 172.x then you can do the same thing you did with the MPLS. They too will need to have a route to 172.16.2.x IP address.

-KS

ReneRasmussen · ‎11-11-2010

The Outside is a public interface.. and on that i have a /27 scope.. i want to use one of those ips on outside.. for translate to the

172.26.1.10

Usualy i would just do a static translate to form say 200.200.200.1 -> mpls 172.26.1.10

But as there is no return route from 172.26.1.10 , i cannot to this.

i need to get 200.200.200.1 outside ip on Outside Interface nattet down to 172.26.1.10, using an ip on the Inside2 interface. ie. 172.16.2.x as there is a return route to this network.:)

/Rene

Kureli Sankar · ‎11-11-2010

Rene,

I am not sure if I understand your requirement here. Seems like you are trying to do everything on the firewall when routes are supposed to be configured properly on the layer 3 devices outside of the firewall. This really isn't the right way to do things.

172.26.1.0/24 lives on the MPLS and a host on that network 172.26.1.10 needs to be accessed from the outside WAN using a 200.x.x.x address. But, when these outside hosts access this server in MPLS the source should actually look like they are coming from 172.16.2.x network. Is this correct?

You need the following:

static (MPLS,outside-WAN) 200.200.200.10 172.26.1.10 net 255.255.255.255

access-list WAN-to-MPLS permit ip any host 200.200.200.10

nat (outside-WAN) 10 access-list WAN-to-MPLS outside

global (MPLS) 10 172.16.2.x

Again find an unused IP address in the 162.16.2.x address. Also I am assuming outside-WAN is of lower level security than MPLS.

-KS

ReneRasmussen · ‎11-12-2010

And Again you nailed it.. Works like a charm. Many Many Thanks.

But now its working. im trying to understand why..:)

I understand the Static on mpls. static (MPLS,outside-WAN) 200.200.200.10 172.26.1.10 net 255.255.255.255

what would be what i normaly would do. (but this assumes a return route to the mpls net.)

What does this then do, it a dynamic from outside that if data hits 200.200.200.10, translate to an ip on 172.16.2.x, but how does this get the data over to the static?

access-list WAN-to-MPLS permit ip any host 200.200.200.10

nat (outside-WAN) 10 access-list WAN-to-MPLS outside

global (MPLS) 10 172.16.2.x

One strange thing tho, in asdm it does now show the pool on the outside dynamic translate.. wierd.:)

/Rene

Kureli Sankar · ‎11-12-2010

Sweet !

Sorry, I just assumed that with the way I rephrased your question - further explanation is not required.

Anyway here goes the explanation:

You need the following:

This - you understand standard static to translate the private IP to a public IP.

static (MPLS,outside-WAN) 200.200.200.10 172.26.1.10 net 255.255.255.255

This is to make all the sources on the outside to look like the 172.16.2.x when they try to reach 200.200.200.10. Because you said who ever egresses

the MPLS interface have to look like 172.16.2.x as that is the only route on that network.

You are looking to translate both - sources on high and low security interface translated.

access-list WAN-to-MPLS permit ip any host 200.200.200.10

nat (outside-WAN) 10 access-list WAN-to-MPLS outside

global (MPLS) 10 172.16.2.x

As always rate all the posts that helped you understand and/or resolve the probelm.

-KS