Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
5
Helpful
4
Replies

CPT 6.1.1 ASA5505 NAT from a subnet different from the connected interface

gustindav
Level 1
Level 1

‎08-25-2016 03:24 PM - edited ‎03-05-2019 04:34 AM

Hello,

As part as an exercice I'm doing by myself, I'm trying to figure out if it possible for a ASA5505 in Cisco Packet Tracer to NAT trafic coming from a different subnet than the interface it is received on.

My host is configured with the address 192.168.4.1/26 and goes through a router (1841). The router is its gateway with the address 192.168.4.62. I'm trying to ping the IP 87.91.134.22 that I've set on a Laptop in the Outside VLAN of my ASA5505. The 1841 is connected to the ASA using the address 172.16.0.1/30 in the inside VLAN (int vlan inside has 172.16.0.2/30).

If I configure an object network for the inside like so :

object network inside-subnet
subnet 192.168.4.0 255.255.255.192
nat (inside,outside) dynamic interface

My packet isn't translated. 87.91.134.22 receives the packet with a 192.168.4.1 as the source IP.

It is because the interface connected to the ASA doesn't match the subnet ?

If I configure an object network for my dmz, which uses a 172.16.1.1/29 network (server has .1 and ASA's vlan dmz int has .6), like so :

object network dmz-subnet
subnet 172.16.1.0 255.255.255.248
nat (dmz,outside) dynamic interface

I can see using the simulation mode that my packet is translated just fine. I even get the ping back when using an ACL permitting any icmp trafic on the outside interface.

My end goal is to have a bunch of VLANs (all being 192.168.x.x/26 subnets) going through the router, being routed to the ASA (using a 172.16.0.0/30 subnet) and then translated to the Laptop representing my Internet access.

What do I miss ? What did I do wrong ? What can I do to make it work ? Is it even possible ?

Any help would be much appreciated.

Thank you,

David

Labels:
Preview file
5 KB
nat_trouble_pkt.zip
Preview file
2 KB
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎08-25-2016 10:43 PM

The NAT should work. If the outside laptop sees the internal IP I would think that it is related to packet-tracer.

What your config is missing: You need a route on the ASA for the internal network pointing to your router:

route inside 192.168.4.0 255.255.255.192 172.16.0.1

And for the ICMP return-traffic, it's better to enable ICMP-inspection in MPF instead of allowing it in the ACL.

gustindav
Level 1
Level 1
In response to Karsten Iwen

‎08-25-2016 10:56 PM

Hello Karsten, 

Thank you for your answer. I've thought about setting a route for the inside but since my packet wasn't translated it felt like cheating and avoiding the real issue.

I guess it might be a CPT limitation.

Follow up question : if my vlans are all 192.168.x.x/26, can I use 192.168.0.0 255.255.0.0 in my network object?

Again, thank you for taking the time to answer me,

David 

0 Helpful

gustindav
Level 1
Level 1
In response to gustindav

‎08-25-2016 11:01 PM

I mean "could I, in a situation where my packers were translated?"

0 Helpful

Karsten Iwen
VIP
VIP
In response to gustindav

‎08-26-2016 12:39 AM

For sure! If you can, then summarize all your internal networks to have less routes in your config.

0 Helpful
Customers Also Viewed These Support Documents