02-08-2011 03:50 AM - edited 03-11-2019 12:46 PM
Hi,
I need a little assistance here...I'm trying to do multiple nats...The intent is to nat traffic inbound to isolated/non-routable vlans to the vlan interface to give the appearance the traffic is within the same subnet to keep a couple hundred servers from having to have static routes placed on them....
I presently do this with traffic from vlan 701 and 702 to vlan 760 and 770...
However, I have a further requirement to nat a single address coming out of vlan 760 to the vlan interface for vlan 770. but, i have not been able to get this to function...and i'm not entirely sure that i can get it to work...below is the configs/info i'm working with...I removed the configs i have tried to use...
Goal: nat a single address, to the inteface of vlan 770 interface ONLY when traffic is destined for vlan 770 without breaking any of the other natting.
nat (Out_of_Band_Server_Mgmt) 1 access-list inside
nat (EBM_SVCS_2) 1 access-list PNAT702
global (Enterprise_Backup_and_Mgmt) 1 interface
global (Enterprise_Backup_and_Mgmt_2) 1 interface
access-list PNAT702 extended permit ip 10.76.169.0 255.255.255.0 192.168.213.0 255.255.255.0
access-list PNAT702 extended permit icmp 10.76.169.0 255.255.255.0 192.168.213.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
interface Vlan701 10.76.168.1
nameif Out_of_Band_Server_Mgmt
interface Vlan702 10.76.169.1
nameif EBM_SVCS_2
interface Vlan760 192.168.212.1
nameif Enterprise_Backup_and_Mgmt
interface Vlan770 192.168.213.1
nameif Enterprise_Backup_and_Mgmt_2
.
02-08-2011 03:55 AM
Security level will be the important information that is required to further see how NATing can be done.
Also, can you please share all the current NAT, Global and Static NAT statements with all the corresponding access-list so we can see if there is any overlapping.
02-08-2011 04:10 AM
Thanks Jennifer,
All nat and acl info is in my post...there's no other in relation to this natting
interface Vlan701
security-level 25
!
interface Vlan702
security-level 26
!
interface Vlan760
security-level 20
!
interface Vlan770
security-level 21
Bruce
02-08-2011 04:01 AM
Hi Bruce,
However, I have a further requirement to nat a single address coming out of vlan 760 to the vlan interface for vlan 770.Goal: nat a single address, to the inteface of vlan 770 interface ONLY when traffic is destined for vlan 770 without breaking any of the other natting.
Are you saying that you want to NAT traffic going from Vlan 760 destined to one of the ip addresses in vlan 770, and the translated ip address should be Vlan 770's interface ip address?
Please elaborate
Regards,
Praveev
02-08-2011 04:13 AM
Thanks for the response Praveev,
almost.
I want to nat a single address in vlan 760 to the interface of vlan 770 when traffic is sourced from 760 destined for 770...the intent is to make the 760 traffic appear as though it is in 770's subnet to keep from having to put static routes on the servers (100's of them)...
Bruce
02-08-2011 04:54 AM
OK, so traffic is sourced from low security level (20) to high security level (21). You can't just configure dynamic NAT for that.
Here is the configuration that you will need:
static (Enterprise_Backup_and_Mgmt_2,Enterprise_Backup_and_Mgmt) 192.168.213.0 192.168.213.0 netmask 255.255.255.0
access-list Enterprise_Backup_and_Mgmt-NAT permit ip 192.168.212.0 255.255.255.0 192.168.213.0 255.255.255.0
nat (Enterprise_Backup_and_Mgmt) 1 access-list Enterprise_Backup_and_Mgmt-NAT outside
Then "clear xlate" after the above.
02-08-2011 02:57 PM
How did it go? Does it work?
If it does, please kindly mark the post as answered and rate useful posts. Otherwise, pls provide more information on the failure and we can assist further.
02-08-2011 03:07 PM
I'm afraid I didn't get a chance to implement/test today...to many fires..
I have a question, are u a tac engineer? I recognize ur name for some reason.
02-08-2011 03:13 PM
Good memory, I used to be in the TAC
02-08-2011 03:18 PM
Lol...you have helped me many time. Not with tac any more?
When I get this implemented, ill holler and let ya know..
02-08-2011 04:16 PM
Can I pose a separate question concerning running a dhcp service on ur firewall
02-08-2011 04:18 PM
Sure, go ahead.
02-08-2011 04:24 PM
Is running dhcp services for clients very resource intensive? We had a big discussion about whether we should or shouldn't. But in the end it boils down to is there any "technical" reason we shouldn't.
I think no, unless it overly tasks the firewall to do so.
02-08-2011 04:44 PM
You are right, running DHCP services wouldn't be resource intensive. How big is the user base and which model of ASA are you running?
02-08-2011 04:48 PM
It's actually a FWSM...In this case, we're issuing out, in 3 subnets,
about 150 addresses...
bruce
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide