Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5061
Views
5
Helpful
47
Replies

NAT with multiple external IPs and multiple internal IPs sharing public specific IPs

Go to solution
shell_uk_
Level 1
Level 1

‎03-19-2015 08:14 AM - edited ‎03-11-2019 10:39 PM

Hi all

I can't quit hit the nail on the head with this one. Any help would be very much appreciated please :)

Cisco ASA 5505
Running 8.4(1)

Example of what I am trying to do (I've basically ran out of public IPs and need to direct access to certain hosts and services inside but for complicated reasons I won't go in to as it won't help here/just complicate it more for no reason, they can't be on the 'general usage' IP so I need to share some of these other public IPs).

Public IP range: 12.34.56.1 - 12.34.56.5

Internal IP range: 192.168.1.1 - 192.168.1.254

12.34.56.5:
'General usage' IP. So by default everything goes in and out on this IP.

12.34.56.1:
Port 443 goes to 192.168.1.2
Port 80 goes to 192.168.1.3
Traffic from 192.168.1.2 and 192.168.1.3 to the internet comes from 12.34.56.1

12.34.56.2/.3/.4:
These are all dedicated to certain servers and work fine.

Bits of the config I think are relevant (please say if I've missed something):

interface Vlan2
 nameif outside
 security-level 0
 ip address 12.34.56.5 255.255.255.248

object network LAN
 subnet 192.168.1.0 255.255.255.0
object network NAT-IP-1
 host 12.34.56.1
object network server-2
 host 192.168.1.2
object network server-3
 host 192.168.1.3
object-group network SOURCE-ADDRESSES-2
 network-object host 192.168.1.2
 network-object host 192.168.1.3

access-list outside_access extended permit tcp any object server-2 eq https
access-list outside_access extended permit tcp any object server-3 eq www

nat (inside,outside) source dynamic SOURCE-ADDRESSES-2 NAT-IP-1

object network LAN
 nat (inside,outside) dynamic interface
object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https

Traffic for server-2 and server-3 goes out on 12.34.56.1 instead of 12.34.56.5, that's fine. The port forwarding isn't happening though.

This results in this in the log:

4 Mar 19 2015 15:00:45 106023 5.6.7.8 53966 12.34.56.1 443 Deny tcp src outside:5.6.7.8/53966 dst outside:5.6.7.8/443 by access-group "outside_access" [0x0, 0x0]

If I do a packet trace it's just not showing the NAT entries expected (and the log above doesn't show the destination as the LAN IP either as expected):

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   12.34.56.1    255.255.255.248 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

What am I messing up with the NATing/port forwarding please?

Thank you!

Edit: Sorry John. Typo - corrected!

Labels:
0 Helpful
47 Replies 47

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to shell_uk_

‎03-19-2015 12:14 PM

Just for your reference there is a great document if you haven't already seen it that covers NAT and the ordering and helps explain your issue.

It also has recommendations as to which sections certain NAT rules should go -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to shell_uk_

‎03-19-2015 10:12 AM

Edit - ignore, just noticed interface IP is 12.34.56.5 :-)

Jon

0 Helpful

Go to solution
shell_uk_
Level 1
Level 1

‎03-19-2015 12:28 PM

So I've just changed it to static NAT all round (I did find another post earlier I was using as a base for all this that used dynamic so I did but it wasn't quite trying to do the same thing).

Now: The first rule for https works but then for http it's trying to forward to the same LAN IP (server-2) as https, not server-3 one for http.

nat (inside,outside) source static SOURCE-ADDRESSES-2 NAT-IP-1

object network server-2
 nat (inside,outside) static NAT-IP-1 service tcp https https
object network server-3
 nat (inside,outside) static NAT-IP-1 service tcp http http

I've just seen lots of new replies, thank you so much everyone. I'm going home now and will go through them with a fresh head tomorrow morning :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card