Googday,

I have kinda issues with NAT as well. 

I am experiencing an issue which relates to twice NAT. 

2 environments are set up with same Subnet IDs. Now requirement is to let host in Environment A needs to talk to host in Environment B.

Real Source (x.x.x.x) and destinations (x.x.x.x) IP's are belong to Same Subnet and NAT already exist to translate destination's subnet IP's to other IP's (y.y.y.y) so they can talk to other networks.

Requirement :

Host 1.1.1.1/24 in Environment A needs to talk to node (1.1.1.20/24) in Environment B 

Environment B inside interface of ASA (image using 9.13) already translating 1.1.1.20/24 to 3.3.3.20/24 using static natentering from outside interface. 

If you have any solution to it let me know.


What I tried to do to achieve through this:

nat (Test_Env,Eng_Test) source dynamic obj_1.1.1.1 interface destination static obj_10.1.1.20 obj_1.1.1.20 service FTP FTP

No success yet. 

NB: Attached is the layout for better understanding if that helps.

Warm Regards,

Hello Br. Qutub,

"Host 1.1.1.1/24 in Environment A needs to talk to node (1.1.1.20/24) in Environment B"

You use a dynamic-nat subnet 1.1.1.0/24 to access host insde.

object-group network 1.1.1.0-24
 network-object 1.1.1.0 255.255.255.0

object-group network host-10.1.1.20
 network-object host 10.1.1.20

nat (outside,inside) source dynamic 1.1.1.0-24 interface destination static host-10.1.1.20 host-10.1.1.20

Salaam Bro Rizwan,

I have made similar kinda nat config as mentioned in my attached layout. Except the last bit, where you are using the same mapped destination instead of real destination (1.1.1.20) as prescribed in syntax. 

Could you please re-affirm. 

nat (outside,inside) source dynamic 1.1.1.0-24 interface destination static host-10.1.1.20 host-10.1.1.20

I found this statement on your diagram you have attached. "1.1.1.0/24 NAT static NAT for individual IP’s to 10.1.1.0/24"

If that is not what you like to accomplish that then you could use twice-nat, it becomes one-to-one mapping.  Lets says ip:  3.3.3.3 is map to 1.1.1.20 at environment B and so below twice should work to access if you configure it on ASA located at environment A.

object network virtual-destination
 host 3.3.3.3

object network host-at-envior-b
 host 1.1.1.20

object network PAT-4.4.4.4
 host 4.4.4.4
 

 
nat (Eng-live,Env-A-Live)  source dynamic any PAT-4.4.4.4 destination static virtual-destination host-at-envior-b

 I assume Eng-live = outside and Env-A-Live = inside as per your attached diagram.

hope that helps.

Thanks

Yes this statement is pretty much correct.

"1.1.1.0/24 NAT static NAT for individual IP’s to 10.1.1.0/24"

Usually Hosts from Env B talk to other subnets and areas. Which is covered through NAT (one-to one) like;

Env B:

ip 1.1.1.1 Nat to 10.1.1.1 

1.1.1.2 Nat to 10.1.1.2 and so on.

Interfaces on FW for Env B are;

Outside = Test_Env

Inside = Eng_Test

Env A:

Talk to other subnets and environments. But this request comes out to be unusual than normal which requires Env A IP's 1.1.1.1 - 3 needs to talk to 1.1.1.20 in env B.

NAT is happening only on Env B FW. I hope it gives more understanding of the requirement.

Have you tried the below?

object network virtual-destination
 host 3.3.3.3

object network host-at-envior-b
 host 1.1.1.20

object network PAT-4.4.4.4
 host 4.4.4.4
 
 
nat (Eng-live,Env-A-Live)  source dynamic any PAT-4.4.4.4 destination static virtual-destination host-at-envior-b

What you are asking me to do it use to Source Egress interface IP scheme (4.4.4.0/24) as source. Which I couldn't understand properly.

However, I did try as below, still getting same response on capturing the traffic.

nat (Test_Env,Eng_Test) source dynamic obj_1.1.1.1 interface destination static obj_10.10.0.20 obj_1.1.1.20 service FTP FTP

1: 10:57:39.436638       1.1.1.1.46694 > 1.1.1.20.21: S 2795187511:2795187511(0) win 14600 <mss 1380,sackOK,timestamp 3567444733 0,nop,wscale 7>

Test_Env is egress interface of Env B FW (5.5.5.0/24)

Eng_Test is Lan interface (destination subnet) (1.1.1.0/24)

Used below object for a new separate NAT statement:

obj_10.10.0.20

 host 10.10.0.20

Since FW of Env A has ACL for:

1.1.1.1 ==> 10.1.1.20 : FTP

Where as FW of Env B has ACL for;

1.1.1.1 ==> 1.1.1.20 : FTP

My understanding is that, actually source is hitting the destination (acl shows hits) but on return path it find itself in same subnet. Which doesn't allow it to get out of the box towards the source.

Normally the traffic from different environment when hit to FW of Env B have 10.1.1.x/24 as destination which eventually translated on Env B FW from 10.1.1.x to 1.1.1.x/24.

"What you are asking me to do it use to Source Egress interface IP scheme (4.4.4.0/24) as source. Which I couldn't understand properly."

Answer to your question is right below in your own post.

"is hitting the destination (acl shows hits) but on return path it find itself in same subnet."

 If you don't want that, then push host-routes with /32 mask to respective firewall individually.

Please give it a try, what I have suggested you.

thanks

Rizwan Rafeek.