Policy NAT

Bruce Summers · ‎02-08-2011

Hi,

I need a little assistance here...I'm trying to do multiple nats...The intent is to nat traffic inbound to isolated/non-routable vlans to the vlan interface to give the appearance the traffic is within the same subnet to keep a couple hundred servers from having to have static routes placed on them....

I presently do this with traffic from vlan 701 and 702 to vlan 760 and 770...

However, I have a further requirement to nat a single address coming out of vlan 760 to the vlan interface for vlan 770. but, i have not been able to get this to function...and i'm not entirely sure that i can get it to work...below is the configs/info i'm working with...I removed the configs i have tried to use...

Goal: nat a single address, to the inteface of vlan 770 interface ONLY when traffic is destined for vlan 770 without breaking any of the other natting.

nat (Out_of_Band_Server_Mgmt) 1 access-list inside
nat (EBM_SVCS_2) 1 access-list PNAT702

global (Enterprise_Backup_and_Mgmt) 1 interface
global (Enterprise_Backup_and_Mgmt_2) 1 interface

access-list PNAT702 extended permit ip 10.76.169.0 255.255.255.0 192.168.213.0 255.255.255.0
access-list PNAT702 extended permit icmp 10.76.169.0 255.255.255.0 192.168.213.0 255.255.255.0

access-list inside extended permit icmp any any
access-list inside extended permit ip any any

interface Vlan701 10.76.168.1
nameif Out_of_Band_Server_Mgmt

interface Vlan702 10.76.169.1
nameif EBM_SVCS_2

interface Vlan760 192.168.212.1
nameif Enterprise_Backup_and_Mgmt

interface Vlan770 192.168.213.1
nameif Enterprise_Backup_and_Mgmt_2
.

Jennifer Halim · ‎02-08-2011

Security level will be the important information that is required to further see how NATing can be done.

Also, can you please share all the current NAT, Global and Static NAT statements with all the corresponding access-list so we can see if there is any overlapping.

Bruce Summers · ‎02-08-2011

Thanks Jennifer,

All nat and acl info is in my post...there's no other in relation to this natting

interface Vlan701

security-level 25

!

interface Vlan702

security-level 26

!

interface Vlan760

security-level 20

!

interface Vlan770

security-level 21

Bruce

Praveena Shanubhogue · ‎02-08-2011

Hi Bruce,

However, I have a further requirement to nat a single address coming out of vlan 760 to the vlan interface for vlan 770.

Goal: nat a single address, to the inteface of vlan 770 interface ONLY when traffic is destined for vlan 770 without breaking any of the other natting.

Are you saying that you want to NAT traffic going from Vlan 760 destined to one of the ip addresses in vlan 770, and the translated ip address should be Vlan 770's interface ip address?

Please elaborate

Regards,

Praveev

Bruce Summers · ‎02-08-2011

Thanks for the response Praveev,

almost.

I want to nat a single address in vlan 760 to the interface of vlan 770 when traffic is sourced from 760 destined for 770...the intent is to make the 760 traffic appear as though it is in 770's subnet to keep from having to put static routes on the servers (100's of them)...

Bruce

Jennifer Halim · ‎02-08-2011

OK, so traffic is sourced from low security level (20) to high security level (21). You can't just configure dynamic NAT for that.

Here is the configuration that you will need:

static (Enterprise_Backup_and_Mgmt_2,Enterprise_Backup_and_Mgmt) 192.168.213.0 192.168.213.0 netmask 255.255.255.0

access-list Enterprise_Backup_and_Mgmt-NAT permit ip 192.168.212.0 255.255.255.0 192.168.213.0 255.255.255.0

nat (Enterprise_Backup_and_Mgmt) 1 access-list Enterprise_Backup_and_Mgmt-NAT outside

Then "clear xlate" after the above.

Jennifer Halim · ‎02-08-2011

How did it go? Does it work?

If it does, please kindly mark the post as answered and rate useful posts. Otherwise, pls provide more information on the failure and we can assist further.

Bruce Summers · ‎02-08-2011

I'm afraid I didn't get a chance to implement/test today...to many fires..

I have a question, are u a tac engineer? I recognize ur name for some reason.

Jennifer Halim · ‎02-08-2011

Good memory, I used to be in the TAC

Bruce Summers · ‎02-08-2011

Lol...you have helped me many time. Not with tac any more?

When I get this implemented, ill holler and let ya know..

Bruce Summers · ‎02-08-2011

Can I pose a separate question concerning running a dhcp service on ur firewall

Jennifer Halim · ‎02-08-2011

Sure, go ahead.

Bruce Summers · ‎02-08-2011

Is running dhcp services for clients very resource intensive? We had a big discussion about whether we should or shouldn't. But in the end it boils down to is there any "technical" reason we shouldn't.

I think no, unless it overly tasks the firewall to do so.

Jennifer Halim · ‎02-08-2011

You are right, running DHCP services wouldn't be resource intensive. How big is the user base and which model of ASA are you running?

Bruce Summers · ‎02-08-2011

It's actually a FWSM...In this case, we're issuing out, in 3 subnets,

about 150 addresses...

bruce