10-14-2015 07:05 AM - edited 03-11-2019 11:44 PM
I have the following configured on an ASA FW (Version 9.1(6));
nat (dmz-interface,outside) source static OBJECT-GROUP Nat_10.10.10.20 destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0
OBJECT-GROUP is a group, containing 3 hosts;
object-group network OBJECT-GROUP
network-object object 10.1.75.33
network-object object 10.1.75.34
network-object host 10.1.67.12
My understanding was that if there’s a many-to-one configuration then no inbound connection permitted as the address it should be translated to isn’t known. But……
This appears to be allowing inbound connectivity from outside to 10.10.10.20, translating to 10.1.75.33
ASA-FW# show xlate | inc 10.10.10.20
NAT from dmz-interface:10.1.75.33, 10.1.75.34, 10.1.67.12 to outside:10.10.10.20
ASA-FW#
ASA-FW# show nat detail | inc 10.10.10.20
14 (dmz-interface) to (outside) source static OBJECT-GROUP Nat_10.10.10.20 destination static COMPANY-A_172.16.1.0 COMPANY-A_172.16.1.0
Source - Origin: 10.1.75.33/32, 10.1.75.34/32, 10.1.67.12/32, Translated: 10.10.10.20/32
ASA-FW#
ASA-FW# show conn | inc 10.1.75.33
TCP outside 172.16.1.1:51318 dmz-interface 10.1.75.33:5672, idle 0:01:24, bytes 912, flags UIOB
TCP outside 172.16.1.1:42717 dmz-interface 10.1.75.33:5672, idle 0:00:29, bytes 3528, flags UIOB
TCP outside 172.16.1.1:41029 dmz-interface 10.1.75.33:5672, idle 0:01:22, bytes 9472, flags UIOB
ASA-FW#
My question is – how is the internal host address determined when a group is used? Does it take the first in the list?
Solved! Go to Solution.
10-14-2015 10:37 AM
Hi,
In Many-to-one mapping, all the internal host would be able to go outside with the mapped address but connection for them would not be able to go out. Lowest Real IP address should be selected as the real address for the bidirectional one. (i am not quite sure why it has taken the object .33 instead of host .12. You could try replace keyword 'object' with 'real' under that object group).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1107407
Above link explain the scenarios with different mapping scenarios and how to select real or mapped address.
ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. These other mapping options, however, might result in unintended consequences. We recommend using only one-to-one or one-to-many mappings.
Regards,
Akshay Rastogi
10-14-2015 10:37 AM
Hi,
In Many-to-one mapping, all the internal host would be able to go outside with the mapped address but connection for them would not be able to go out. Lowest Real IP address should be selected as the real address for the bidirectional one. (i am not quite sure why it has taken the object .33 instead of host .12. You could try replace keyword 'object' with 'real' under that object group).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1107407
Above link explain the scenarios with different mapping scenarios and how to select real or mapped address.
ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. These other mapping options, however, might result in unintended consequences. We recommend using only one-to-one or one-to-many mappings.
Regards,
Akshay Rastogi
10-15-2015 12:56 AM
Hi Akshay,
Thanks for the info, that seems to make sense. I think maybe it would be the lowest IP if the first connection was inbound outside -> dmz-interface. Perhaps the first connection to perform NAT on was from 10.1.75.33 and therefore it became the translated address, as your link states "The first translation is always active so both translated and remote hosts can initiate connections, but the subsequent mappings are unidirectional to the real host. "
If I had some equipment to test I would!
Regards,
Brian
10-15-2015 04:22 AM
Hi Brian,
That's correct.
Please mark the answer as correct if it helps.
Regards,
Regards,
Akshay Rastogi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide