Solved: Persistent NAT or address persistency on ASA

Rajender Maktala · ‎10-22-2012

Hi All,

Please let me know if we have the option to configure Persistent NAT or address persistency in Cisco ASA .

Please go through below details and my exact requirement:

Our internal network is 10.x.x.x/8. We have a Lan-2-Lan VPN partner (192.168.10.x/24).

We have dual firewall architecture. VPN is configured on ASA (8.2) with IP allowed. Internal firewall is (FWSM 4.2) which is directly connected to ASA.

Our side encryption list configured as

acl-vpn permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

As the partner's network address 192.168.10.x/24 is not routable in our domain, we have done policy based NAT as below:

acl-nat-out2in permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0

nat (outside) 100 access-list acl-nat-out2in

global (inside) 100 10.80.80.1-10.80.80.254

VPN tunnel is established and working.

Requirement:

When a request comes from the pre NAT IP, the host portion should match with the IP of the NAT pool.

i.e if the pre NAT IP is 192.168.10.1, then it always should use IP 10.80.80.1 . from the pool and so on.

In Cisco routers we can achieve this by using "type match-host" key word to the ip nat pool.

Likewise do we have the option in Cisco ASA ? I verified many sites/documentations but without success.

Juniper has this option.

Regards, Rajender

Jouni Forss · ‎10-30-2012

Hi,

One to one mapping between two networks of equal size can be configured in your case with:

static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0

OR

access-list L2L-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0

static (outside,inside) 10.80.80.0 access-list L2L-VPN-POLICYNAT netmask 255.255.255.0

I might have to double check those (So try at your own risk ), but those are the configuration options that came into my mind first. They should keep the original / NAT IP addresses "identical" when it comes to the last portion of the IP address.

- Jouni

View solution in original post

Julio Carvajal · ‎10-22-2012

Hello Rajender,

Actualy that is how it behaves, if you have a /24 as the pool and the global is a /24 as well then the ASA will perform a one to one mapping.

You can create captures to check this out.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Rajender Maktala · ‎10-30-2012

Hi jcarvaja,

Thanks for the reply. But I might have not clearly explained my request.

I verified the NAT translations. Firewall is creating a one to one mapping but each time the pre NAT IP is taking a different a IP from the NAT pool (10.80.80.1 - 254).

e.g. two days before pre NAT IP 192.168.10.1 was mapped to 10.80.80.223. Today it got mapped to 10.80.80.67.

The host portion of the pre NAT should always match with the host portion of the post NAT IP as below:

e.g.: 192.168.10.1 -- > 10.80.80.1

192.168.10.2 -- > 10.80.80.2

192.168.10.3 -- > 10.80.80.3

::::::

192.168.10.254 -- > 10.80.80.254

Regards, Rajender

Jouni Forss · ‎10-30-2012

Hi,

One to one mapping between two networks of equal size can be configured in your case with:

static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0

OR

access-list L2L-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0

static (outside,inside) 10.80.80.0 access-list L2L-VPN-POLICYNAT netmask 255.255.255.0

I might have to double check those (So try at your own risk ), but those are the configuration options that came into my mind first. They should keep the original / NAT IP addresses "identical" when it comes to the last portion of the IP address.

- Jouni

Rajender Maktala · ‎11-20-2012

Hi Jouni,

Sorry for very late response.

Thanks for the information. It works fine as per requirement when I configured as below:

static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0

Once again thanks a lot.

Regards, Rajender