Solved: Re: problem with Destination NAT on ASAv

wikinetwork · ‎02-01-2020

Hi

I am new to Asa doing practice in eve-ng with ASAv V 9.7

in this topology i have a server inside with IP address of 192.168.1.200 and want to reach the loopback address on R2 with IP 44.44.44.44 with NAT but i want to practice the Twice NAT (Destination NAT ) and change both source and destination . this is configuration I have done on firewall

Object network real_inside

Host 192.168.1.200

Object network real_outside

Host 44.44.44.44

Object network map_inside

Host 192.168.1.240

Object network map_outside

Host 10.10.14.40

nat (inside,outside) source static real_inside map_inside destination static map_inside real_outside

without NAT , destination is reachable but when apply NAT can not reach destination.

bellow is result of packet capture on ASAv

ciscoasa#packet-tracer input inside icmp 192.168.1.200 0 0 44.44.44.44

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.14.4 using egress ifc outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static real_inside map_inside destination static map_inside real_outside
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

ciscoasa# show xlate
2 in use, 11 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.200 to outside:192.168.1.240
flags sT idle 0:10:59 timeout 0:00:00
NAT from outside:44.44.44.44 to inside:192.168.1.240
flags sT idle 0:10:59 timeout 0:00:00

==============================

in bellow I paste the firewall configuration

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.13.1 255.255.255.0

interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 10.10.14.1 255.255.255.0
!

object network real_inside
host 192.168.1.200
object network real_outside
host 44.44.44.44
object network map_inside
host 192.168.1.240
object network map_outside
host 10.10.14.40

access-list out extended permit ip any any

nat (inside,outside) source static real_inside map_inside destination static map_inside real_outside
access-group out in interface outside

router ospf 1
network 10.10.13.0 255.255.255.0 area 0
default-information originate

route outside 0.0.0.0 0.0.0.0 10.10.14.4 1

Rob Ingram · ‎02-01-2020

Your example only changes the source. A Twice NAT rule basically lets you identify the source and destination address in a NAT rule, which is what you've configured except you haven't changed the destination IP address.

One scenario when you would change the destination IP address could be if your client devices are configured to use Google DNS 8.8.8.8 but you want to redirect any traffic destined to 8.8.8.8 to another provider such as Cisco Umbrella (207.67.222.222). NAT rule example:-

nat (inside,outside) source static real_inside map_inside destination static GoogleDNS UmbrellaDNS

View solution in original post

Rob Ingram · ‎02-03-2020

Hi,

The NAT ip address you use needs to be routable from the destination, so if the firewall is connected to the internet you would need to NAT to a public IP address. If the firewall is located on a private WAN and the destination device can route to a private IP address then that will obviously work.

HTH

View solution in original post

Rob Ingram · ‎02-01-2020

Hi,

You are communicating with 44.44.44.44, in your current configuration you have defined the original destination as map_inside (192.168.1.240), the original and translated destination should be the same.

nat (inside,outside) source static real_inside map_inside destination static real_outside real_outside

This will translate source from 192.168.1.200 to 192.168.1.240 when the destination is 44.44.44.44

HTH

wikinetwork · ‎02-01-2020

thanks Dear

your solution works but is this change the source and destination in this solution ?and is this same as Twice NAT ?

one more question in which scenario we use different destination address at the end of script ?

Rob Ingram · ‎02-01-2020

Your example only changes the source. A Twice NAT rule basically lets you identify the source and destination address in a NAT rule, which is what you've configured except you haven't changed the destination IP address.

One scenario when you would change the destination IP address could be if your client devices are configured to use Google DNS 8.8.8.8 but you want to redirect any traffic destined to 8.8.8.8 to another provider such as Cisco Umbrella (207.67.222.222). NAT rule example:-

nat (inside,outside) source static real_inside map_inside destination static GoogleDNS UmbrellaDNS

wikinetwork · ‎02-01-2020

Thank You so much Dear RJI

I test and it work perfect ,I just post the details of the topology it might help somebody in future

in this topology if somebody want to reach the google DNS (8.8.8.8) from inside host , ASA will redirect the packets to destination which we will define and send the packet back to the WEB server (Web server don't know the IP address of destination and only set google DNS as destination )

Debug on Router R4 in outside (Loopback 44 : 44:44:44:44 )

final NAT configuration :

Object network real_inside

Host 192.168.1.200

Object network map_inside

Host 192.168.1.240

object network googledns
host 8.8.8.8
object network ciscoum
host 44.44.44.44

nat (inside,outside) source static real_inside map_inside destination static googledns ciscoum

wikinetwork · ‎02-02-2020

Dear RJI

one more question comes in my minds is that regarding to real word design ,how we should choose this IP address n real world network for map_inside IP , since in this topology i have default route for return route to firewall , do we need to choose this IP in private range of our organization , I would appreciate to clear it for me.

Object network map_inside

Host 192.168.1.240

Rob Ingram · ‎02-03-2020

Hi,

The NAT ip address you use needs to be routable from the destination, so if the firewall is connected to the internet you would need to NAT to a public IP address. If the firewall is located on a private WAN and the destination device can route to a private IP address then that will obviously work.

HTH