cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
505
Views
0
Helpful
4
Replies

OS 8.3 Dynamic NAT issue caused by changing NAT IP

aaronkite
Level 1
Level 1

Hoping someone can help me here.  I have a dynamic nat pool set up to translate on the inside about 200 IPs to 20.  I have 10 ACLs, where the inside hosts/networks can connect to multiple hosts over multiple protocols/ports.  The inside users have to authenticate to a Checkpoint over TCP/259.  When they do that, they receive an IP (192.168.1.1 for example) from the NAT pool.  The problem has been when they later open an HTTPS session, they get another IP (192.168.1.2 for example).  The Checkpoint doesn't like this, and kills the initial session (because i guess either .1 is not responding or something else i do not know), then after the authentication is terminated the HTTPS is subsequently terminated.  I'm looking for help on how to keep the initial 192.168.1.1 IP for the inside host who initiated the TCP/259, then subsequently opens connections from their machine over HTTPS, and a few other protocols/ports.  Thanks for any advice/solutions.  This is a ASA 5585 multi-context and running a flavor of 8.3x.

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

You could do  a Policy NAT where basically you configure the NAT rules in regards of the destination IP address and service if needed.

what do u think?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have a Dynamic NAT and doing a twice NAT.  The connection works initially when the inside host makes a connection to the outside host over TCP/259 (this is to authenticate to a Checkpoint firewall).  Translation on the inside (192.168.1.1).  Then when that same inside host opens a browser and navigates to another IP on the outside, a different ACL is applied.  When that ACL is applied, the NAT changes from .1 to .2.  When that happens, the Checkpoint firewall shuts down the initial authentication session, and that ends whole connection for the inside host.

is there a way to make the NAT only apply to the first session, and any subsequent sessions would not get a new NAT IP?  I want it to keep the 192.168.1.1 the Checkpoint firewall sees for authentication.

Hi,

The question still is why would your host match 2 different NAT rules?

If you have Dynamic NAT configured then your host should receive a single NAT IP address and be visible with that IP address and avoid the above problem.

Sounds to me like you have a separate NAT configuration for the Checkpoint traffic and other outbound traffic?

I am not sure what ACLs you are referring to? You are talking about Twice NAT (new software) and ACL which would seem to indicate older software, that is if you are talking about NAT related ACLs.

- Jouni

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Would really need to see some configurations.

I would imagine if you have 200 hosts using 20 address NAT pool that you also have configured a PAT. It would seem to me that 20 hosts should atleast get their own IP address from the NAT pool and I am not sure why that would get changed unless the translations/connections timeout?

Is this NAT Pool consisting of public IP addresses? I presume that it is since you are using such a small pool for 200 users?

But as I said would probably have to make sure why would the host get another IP address just because it connects with HTTPS? Would seem to me that you are already using somekind of Policy NAT/PAT if you are expiriencing this.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: