02-13-2014 07:57 PM - edited 03-11-2019 08:45 PM
Hi
I have a ASA5520, that was the core firewall for inside and outside, default gateway etc etc...
my internal addresses are 192.168.0.0/16 - broken into /24's
my public internet address 1.2.3.0/24
I have quiet a few network object nats
object network www
host 192.168.10.20
nat (dmzrp,any) static 1.2.3.9 service tcp 10001 https
so dmzrp is where I have my reverse proxies.
I also have this at the top of the list
nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp
object network inside-net
subnet 192.168.0.0 255.255.0.0
Now I am in the process of moving to another router for my core routing so a lot of vlan's ip networks are moving off the asa5520
I have an interface called MAN it connect to a share network, where I run ospf I have my new router connected here.
so when I try to connect to the www address about 192.168.20.10 -> 1.2.3.9:443 the forward packet gets to 192.168.10.20, but the source address is 192.168.20.10, which routes back to the original server without going via the asa5520 to un NAT it, so it fails.
So I presume I need to twice NAT ?
I was going to do some thing like
object network in_nat_src
host 1.2.3..13
object-group network public-network
network-object 1.2.3.0 255.255.255.0
nat (internet,man) source dynamic inside-net in_nat_src destination static public-network public-network no-proxy-arp
nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp
I don't really have a asa to test on. But my presumption is that will set my src address and then the object network will then work, so from my reading thats nat is stage 1 and object network is stage 2
02-14-2014 05:46 PM
Nope
found this
Order of NAT Rules.
–Network object NAT—Automatically ordered in the NAT table.
–Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).
I have a network onbject nat rule
object network dev.yieldbroker.com
host 192.168.21.21
nat (dmzrp,any) static 1.2.3.129 service tcp 10001 https
what i want is any one that comes from interface man that goes to 1.2.3.129, need to be src natted, then i want the above rule to kick in
not sure how I am going to to this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide