Solved: NAT with inside/dmz VLANs on ASA-5505

olivier.vigneresse · ‎09-17-2012

Hi,

I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.

The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address a.b.c.d 255.255.255.248

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

object network host1-rdp

host 192.168.1.123

nat (inside,outside) static interface service tcp 3389 3389

[...etc...]

I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine

interface Vlan12

description Used only for guests access to the Internet - no access to the corporate resources

no forward interface Vlan1

nameif guests

security-level 20

ip address 192.168.2.1 255.255.255.0

My problem is that when I try to add NATing from the dmz to the outside I get a:

ERROR: Address a.b.c.d overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

with either:

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic interface

[... or ...]

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic a.b.c.d

Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work:

object network obj_any

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic a.b.c.d

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic a.b.c.d

Thanks in advance for the help.

Jennifer Halim · ‎09-17-2012

Yes, correct, there is no need for second external IP, the current single one would do.

and yes to your second question too, no changes need to be done to your static NAT statements.

BTW, if you are actually using the outside interface ip address for the NAT, then use the keyword "interface" instead of the actual ip address of the outside interface. However, if you are using a spare public IP, or the same public IP as your inside dynamic NAT for guest network, then what you have posted is correct.

If it's interface of the outside, then it should be:

object network obj_inside

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic interface

Otherwise, if it's a spare public ip, what you have posted is correct.

View solution in original post

Jennifer Halim · ‎09-17-2012

Yes, you would need to be more specific with the NAT statement instead of using "any" for the inside NAT.

Your posted command as follows are the correct one:

object network obj_inside

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic a.b.c.d

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic a.b.c.d

olivier.vigneresse · ‎09-17-2012

hi, Jennifer,

Thanks for that - as the ASA is on a production network, can I just check a couple of things with you to avoid playing with a live config too much:

- there's no need for a second external IP - the current single one will do, correct?

- there is no change necessary to the static NATing done for various servers to have one port "exposed" to the outside?

Olivier

Jennifer Halim · ‎09-17-2012

Yes, correct, there is no need for second external IP, the current single one would do.

and yes to your second question too, no changes need to be done to your static NAT statements.

BTW, if you are actually using the outside interface ip address for the NAT, then use the keyword "interface" instead of the actual ip address of the outside interface. However, if you are using a spare public IP, or the same public IP as your inside dynamic NAT for guest network, then what you have posted is correct.

If it's interface of the outside, then it should be:

object network obj_inside

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

object network guests_subnet

subnet 192.168.2.0 255.255.255.0

nat (guests,outside) dynamic interface

Otherwise, if it's a spare public ip, what you have posted is correct.

olivier.vigneresse · ‎09-17-2012

Thanks for that, Jennifer.

Will test in the next few days and (hopefully) confirm that it's all OK!

olivier.vigneresse · ‎09-19-2012

Hi, Jennifer

All worked! Thanks for your help.

Olivier