cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
378
Views
0
Helpful
9
Replies

Need quick solution on NAT'g ASA 8.4

Hi Guys,

Here is the scenario:

Source (Inside) : 10.0.1.5/24 NAT IP: 10.0.1.25/24 (from the same Inside network)

Destination, learnt via outside: 192.168.1.32/24 (not directly connected ,three hops away from outside interface of FW)

If I initiate a connection from 10.0.1.5 to 10.0.1.25, it should take me to 192.168.1.32 network that is learnt via outside interface (not directly connected),

Can you please help me what NAT and route solutions are required to accomplish this? Cisco ver 8.4.

Your quick help is appreciated.

9 Replies 9

Jouni Forss
Mentor
Mentor

Hi,

To my understanding the format should be the followin

object network SOURCE-HOST

host 10.0.1.5

object network DESTINATION-MAPPED

host 10.0.1.25

object network DESTINATION-REAL

host 192.168.1.32

nat (inside,outside) source static SOURCE-HOST SOURCE-HOST destination static DESTINATION-MAPPED DESTINATION-REAL

Do note that the above doesnt NAT the SOURCE-HOST at all. Is there need to NAT the SOURCE-HOST?

Hope this helps

Check out my NAT 8.3+ Document for some information of the new NAT format and operation. It still has some pretty basic information. Plans are to expand the content at some point.

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Thanks Jouni...I am going to check this out now..To make sure you understood correctly, the connection is initiated from Inside network and destination IP is same as the inside network, but it should take him to 192.168.1.32 which is the real IP of a host learnt via outside Interface..I am confirming the source host is not NAT'ed..Please clarify if there is any change required.

Hi,

I am just wondering the following.

The above configuration should handle everything you have stated in the original post. But I wonder since we are NOT NATing the source address 10.0.1.5 and it will therefore show to the remote host 192.168.1.32 with its original IP address WILL the host 192.168.1.32 have a route towards the IP/network 10.0.1.5? Or should we also NAT 10.0.1.5 to show up as coming from some NAT IP towards the host 192.168.1.32 for which it has a route? For example some IP address on the side of the "outside" interface?

- Jouni

Thanks Jouni...per requirement, the source is not needed to be translated...Just a question out of curiosity, the firewall has proxy arp disabled on all interfaces (eg., sysopt noproxyarp inside). do we need to enable them ? once the destination is translated to 192.168.1.32, outside interface knows how to route it to...so is proxy arp not needed? am going to test it out in 10 mins..pls standby for the update..

Hi,

I am not quite sure about the Proxy ARP in this case. I am not sure about the fact that since you can configure Proxy ARP settings in the NAT in certain software that will this override the "sysopt" configuration even if the ASA is globally set to disable Proxy ARP on a certain interface.

What is the exact version number of the 8.4(x) software you are using?

I guess the NAT configurations like this should have Proxy ARP enabled by default starting from 8.4(2)

What I meant with the source IP address NAT was that with the above NAT configuration the host 192.168.1.32 will see the connection coming from the source IP address of 10.0.1.5 (since we are not NATing it) and I wonder if the host 192.168.1.32 has a route for this IP address 10.0.1.5 in its closest L3 device? Or would we need to NAT the 10.0.1.5 IP to something the host 192.168.1.32 actually has return route for.

- Jouni

It did not work...its 8.4(2)...sysopt noproxyarp inside is in running config. I did arp realtime capture on inside interface:

output:

arp who-has 10.0.1.25 tell 10.0.1.5

Hi,

So you could see an ARP query but no answer from the ASA?

I guess you will have to try with "no sysopt noproxyarp inside"

I am not sure how your network and inside interface is configured so I am not sure will changing this setting have any effect on your networks operation.

Usually it might be a problem when you have hosts directly connected to the ASA in a L2 network and the hosts need to communicate with eachother and in this case the ASA might reply to ARP querys it shouldnt.

I would also monitor the logs through ASDM while attempting the connections to see what happens. And also to confirm that the correct NAT rule is hit.

This you can confirm with "packet-tracer" also which output you could take for us

packet-tracer input inside tcp 10.0.1.5 12345 10.0.1.25

- Jouni

Packet tracer shows no problem. it hits the right NAT command (I tried using auto NAT as well)

object network obj-192.168.1.32

nat (outside,inside) static 10.0.1.25

No drops in hte packet tracer. probably, we need to check by enabling proxy arp in inside. is there anything are we missing to make this work?

Hi,

Well if it doesnt work with Proxy ARP disabled I would test with Proxy ARP enabled as I said above. But I dont know how your network is built. I mean could this setting change cause any problems.

If the "inside" hosts use the ASA as their gateway you should be able to see on the host directly if it can get a ARP of the NAT IP address you configured.

For example in the Windows Command prompt

arp -a

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers