Solved: Static NAT Configuration Question

jeff6strings · ‎08-08-2012

Our ASA firewall with SW version 8.2 has three active interfaces: outside w/ security level 0, inside w/ security level 100 and local w/ security level 90. The server, IP 192.168.2.10, on the local interface needs to send print jobs to printers, IP addresses 172.20.4.30 and .31 located on the inside interface. The configuration below along with an access list on the local interface allows the server to print to the printers. I’m trying to get a grasp on the different NAT types and configurations and would appreciate a basic explanation of how this configuration works.

Thanks in advance.

Jeff

static (inside,local) 172.20.4.30 172.20.4.30

static (inside,local) 172.05.4.31 172.20.4.31

access-list printers_access permit tcp host 192.168.2.10 host 172.20.4.30 eq 9100

access-list printers_access permit tcp host 192.168.2.10 host 172.20.4.31 eq 9100

nat (local) 10 access-list printers_access

global (inside) 10 interface

Maykol Rojas · ‎08-12-2012

Hello Jeff,

Here is the Grasp of it. Normally on all Companys, they have a regular PAT to go out to the internet. That would be something like this:

Nat (inside) 1 0 0

Global (outside) 1 interface

That being said, with this particular line (Nat (inside) 1 0 0) you are practically forcing everything to be natted, no matter where it goes.

In a particular Case that you need to access the printers on the inside, there has to be a translation. Mainly because the packet when it comes from local, gets to the inside, the reply packet will (again) try to find a translation given the command (Nat (inside) 1 0 0).

To overcome this problem, self translation is created, just like the two lines you have here:

static (inside,local) 172.20.4.30 172.20.4.30

static (inside,local) 172.05.4.31 172.20.4.31

The static nats take precedence over the regular NAT/PAT, so, when the reply packet comes in, instead of trying to match (Nat (inside) 1 0 0), they will just hit the static (which translates them to themselves) and the communication flows fine.

Same thing with the ones on the DMZ interface, however, this ones are really particular. In case there is no default gateway configured on the printers, in case a packet comes from the local interface, they will reach the printers with an IP of 192.168.2.10. In that case, the printers dont know how to return the packet (because they dont know the network and dont have a default gateway configured).

This is Mainly why, you will need to translate those "local" hosts to an IP that is free on the inside subnet. You know that the interface inside is not done or used for anything else, so it is ok that you translate those addresses on the local subnet to the inside IP address of the firewall. With that configuration, packets will arrive to the printers with an IP address of a known host on the subnet, reply to the inside IP address of the firewall, then the firewall unstranslate the address to the host on the local interface and the communication will flow without issues.

Hope this makes it a bit clear.

PS, (Some of the stuff explained are assumed, just like the fact that the printers may not have a default gateway or will not respond to something that is not sitted on the same subne)

Mike

View solution in original post

Maykol Rojas · ‎08-12-2012

Hello Jeff,

Here is the Grasp of it. Normally on all Companys, they have a regular PAT to go out to the internet. That would be something like this:

Nat (inside) 1 0 0

Global (outside) 1 interface

That being said, with this particular line (Nat (inside) 1 0 0) you are practically forcing everything to be natted, no matter where it goes.

In a particular Case that you need to access the printers on the inside, there has to be a translation. Mainly because the packet when it comes from local, gets to the inside, the reply packet will (again) try to find a translation given the command (Nat (inside) 1 0 0).

To overcome this problem, self translation is created, just like the two lines you have here:

static (inside,local) 172.20.4.30 172.20.4.30

static (inside,local) 172.05.4.31 172.20.4.31

The static nats take precedence over the regular NAT/PAT, so, when the reply packet comes in, instead of trying to match (Nat (inside) 1 0 0), they will just hit the static (which translates them to themselves) and the communication flows fine.

Same thing with the ones on the DMZ interface, however, this ones are really particular. In case there is no default gateway configured on the printers, in case a packet comes from the local interface, they will reach the printers with an IP of 192.168.2.10. In that case, the printers dont know how to return the packet (because they dont know the network and dont have a default gateway configured).

This is Mainly why, you will need to translate those "local" hosts to an IP that is free on the inside subnet. You know that the interface inside is not done or used for anything else, so it is ok that you translate those addresses on the local subnet to the inside IP address of the firewall. With that configuration, packets will arrive to the printers with an IP address of a known host on the subnet, reply to the inside IP address of the firewall, then the firewall unstranslate the address to the host on the local interface and the communication will flow without issues.

Hope this makes it a bit clear.

PS, (Some of the stuff explained are assumed, just like the fact that the printers may not have a default gateway or will not respond to something that is not sitted on the same subne)

Mike

jeff6strings · ‎08-14-2012

Mike,

Thank you for the explanation as it helped a lot. My problem has been the understanding of static identity NAT:

static (inside,local) 172.20.4.30 172.20.4.30. I'm still a little fuzzy as to it's use and when to use it. I'm also trying to get a grasp on when to use what NAT type as I'm good with the basics of dynamic NAT and PAT as would be used for Internet access from an inside network.

Thanks,

Jeff