12-02-2017 01:38 AM - edited 03-05-2019 09:34 AM
Hello Experts,
I'm stucking with the task of tonight.
I have a topology like this:
(.2) (.3)
SERVER2 SERVER3
I I
I 1.1.1.0/8 I
V V
--S--W---I---T--C--H---
I
I (DMZ)
10.11.10.0/27 192.168.1.0/24 V 1.1.1.1/8 123.1.1.0/24
Sever1 ----------> ASA1 (9.7) ---------------> ASA2 (9.7) ---------------> Internet
.1 .2 .2 (INSIDE) .1 .1
So how can I nat my Server to the internet? Thank you so much.
12-02-2017 05:02 AM
On ASA2 you do the NAT for the real IP:
object network SERVER host 10.11.10.1 nat (inside, outside) static X.X.X.X
And you need a route to the inside subnet:
route inside 10.11.10.0 255.255.255.224 192.168.1.2
12-02-2017 09:27 AM
Hello Karsten,
Thank you so much for your quick response!
I tried to apply your suggestion but it did not work. That is my mistake because I did not give you full topology first.
Actually my ASA2 did NAT DMZ include 2 servers (Server2 &Server3) and they can access the internet. So at the moment my desire is all 3 servers (Server1, Server2 and Server3) CAN access to the internet. Thank you so much, again.
My code for natting server2 and server3.
object network SERVER2
host 1.1.1.2
nat (dmz,outside) static 123.1.1.2
object network SERVER3
host 1.1.1.3
nat (dmz,outside) static 123.1.1.3
12-02-2017 10:41 AM - edited 12-02-2017 10:44 AM
I've just updated the new topology as above. Please kindly urgent help. Thanks all!
12-02-2017 12:53 PM
If it's urgent, call Cisco TAC. This is community support which is done by volunteers in their spare time ...
Back to your scenario: The NAT for the third server should work the same way as with the two devices in the DMZ. You have to make sure that the correct interface is used and the left ASA should not do any NAT on this traffic and also has to allow this traffic.
12-02-2017 06:58 PM - edited 12-02-2017 09:23 PM
Hello Karsten,
Oh Thank Karsten! I've just called TAC, it seems to be a good channel and I will try in some day :)
At that time my Eng is not good enough to describe my issue that Im getting.
Back to my issue:
My ASA2 has port 1/1 go to the internet,
port 1/2 connecting the left
port 1/3 connects to the switch
From ASA2 I can ping to all Server and I tried to use same way that I did with SERVER2 and SERVER3 to apply to SERVER1 but it still does not work.
(Working)
object network Server2
host 1.1.1.2
nat (dmz,outside) static 123.1.1.2
object network Server3
host 1.1.1.3
nat (dmz,outside) static 123.1.1.3
(Not working)
object network Server1
host 10.11.10.1
nat (inside,outside) static 123.1.1.1
Please help me to clarify what is wrong here?
12-03-2017 01:47 AM - edited 12-03-2017 01:56 AM
If you can ping Server1 from ASA2 then the routing is in place. You need to find out if ASA2 or ASA1 is blocking the traffic. For that do a packet-tracer on ASA2:
packet-tracer input outside tcp 1.2.3.4 1234 123.1.1.1 443
I assumed the server should be reachable through HTTS, change the port to whatever you need. In the output you should see that the traffic is not only allowed, but also that it's public IP gets untranslated to the private IP and that ASA2 sees the interface inside as output interface.
Then repeat that on ASA1, but this time use the private IP destination:
packet-tracer input outside tcp 1.2.3.4 1234 10.11.10.1 443
Again, it should be allowed, no NAT should be done and the traffic should have an output interface of inside.
PAT is nothing that would help here.
12-13-2017 12:09 AM
Hello Karsten Iwen,
I'm sorry my late response. I've just got back from the hospital and got the new issue with ASA 5508 and its rusher than the issue we're getting here.
I promise I will back this issue after the new rush issue is resolve.
I posted my new issue here, please kindly help. Thank you so so much!
12-02-2017 09:24 PM - edited 12-02-2017 09:25 PM
Do you think I should use PAT for that case?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide