Hello,

macfrist38 · ‎10-30-2015

Hi,

Please i have an ASA 5545 with 9.2 (3) OS, I need to NAT some traffic to some servers in my LAN.

I have two DMZs (Untrust and DMZ_MPLS) from which users will access to the servers (Inside zone).

I did NAT to the inside server (172.16.1.11 (inside)) via public IP (196.25.199.38 (Untrust)) on some ports (http and so on). But ASDM refused to do another NAT. i have an error the ipoverlad with another NAT.

This is what i want to do :

inside IP Public IP/MPLS I¨P services

172.16.1.11 196.25.199.38 http, https

172.16.1.12 196.25.199.38 FTP, TFTP

172.16.1.11 10.81.10.82 http, https

172.16.1.12 10.81.10.82 FTP, TFTP

Please can you help me ?

Henrik Grankvist · ‎10-30-2015

Hi

If you share your config it would be much easier.

macfrist38 · ‎11-02-2015

Ok this is the config i Did:

object network Host_Serveur_web
nat (Inside,Untrust) static Host_ext_SAP_web
access-list WEB_access_IN extended permit object-group WEB_SERVICE any4 object Host_Serveur_web
access-group WEB_access_IN in interface Untrust
object-group service WEB_SERVICE
service-object tcp destination eq www
service-object tcp destination eq https

Host_Serveur_web = 172.16.1.11
Host_ext_SAP_web = 196.25.199.38

I cannot add another one !

Masoud Pourshabanian · ‎11-02-2015

Hello,

What is the purpose of translation of one IP address to two different IP addresses?

Do you have two external links? If so, you need to implement policy nat.

macfrist38 · ‎11-02-2015

Hi,

Nasoud, yes i want that users from MPLS Link who dont have access to Internet can access application. And other users outside the MPLS network can access via Internet.

Masoud Pourshabanian · ‎11-02-2015

I do not have ASA right now to test the commands.

1- Try to set two seperate object for

196.25.199.38 and 10.81.10.82

2- Try to set two different object for destinations

1- all destination (Internet any except your servers)

2-your servers. (only some servers)

and configure two access-lists with the same source and different destination(objects you defined for the destinations)

Then apply each access-list to a seperate NAT

You are receiving error because you did specifiy any destination and ASA can not differentiate between two NATs.

macfrist38 · ‎11-02-2015

Hi Massoud,

The issue with the object is the inside one. I ve tried with the same error.

Jon Marshall · ‎11-02-2015

You need to use two different object names per inside server ie. the same server IP but two different objects.

The reason you are having the issue is you are trying to use the same object name to NAT to two different IPs ie. the DMZ IP and the public IP on the same ports.

Jon

Masoud Pourshabanian · ‎11-02-2015

Hello,

I tried to implement your configuration.

// int vlan1 is toward servers. There are two routes to 1.1.1.2 toward servers.

interface Vlan1

nameif inside

security-level 100

ip address 1.1.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 196.25.199.38 255.255.255.0

interface Vlan3

nameif DMZ_MPLS

security-level 0

ip address 10.81.10.82 255.255.255.0

route inside 172.16.1.11 255.255.255.255 1.1.1.2 1

route inside 172.16.1.12 255.255.255.255 1.1.1.2 1

// all traffic is permited from outside and DMZ_MPLS to inside. You can limit it.

access-list to-server-permission extended permit tcp any any

access-list to-server-permission extended permit icmp any any

access-group to-server-permission in interface outside

access-group to-server-permission in interface DMZ_MPLS

// I created two Objects for each server.

object network server1

host 172.16.1.11

object network server2

host 172.16.1.12

object network server3

host 172.16.1.11

object network server4

host 172.16.1.12

object network server1

nat (inside,outside) static 196.25.199.38 service TCP http https

object network server2

nat (inside,outside) static 196.25.199.38 service TCP FTP

object network server3

nat (inside,DMZ_MPLS) static 10.81.10.82 TCP http https

object network server4

nat (inside,DMZ_MPLS) static 10.81.10.82 TCP FTP

Are able to set to NAT commands under one network object?

Something like this.

object network server1

host 172.16.1.11

nat (inside,outside) static 196.25.199.38 service TCP http https

nat (inside,DMZ_MPLS) static 10.81.10.82 TCP http https

macfrist38 · ‎11-03-2015

Hi,

Thanks i will try the config and let you know !

Cdly

macfrist38 · ‎11-02-2015

Am not able to see documentation about policy NAT,

PS: am on version 9.2

Masoud Pourshabanian · ‎11-02-2015

Please check the links below for get some idea.

http://www.tech21century.com/policy-nat-on-cisco-asa-firewall/

http://www.astorinonetworks.com/2012/02/03/configuring-natpat-on-the-asa/

Masoud Pourshabanian · ‎11-02-2015

object network Host_Serveur_web
nat (Inside,Untrust) static Host_ext_SAP_web

Only these commands are doing actual nat for you. Other commands are just access-list for allowing traffic.

you need to add access-list to specify you destination

nat (Inside,Untrust) static Host_ext_SAP_web access-list ( Host_ext_SAP_web to internet)

nat (Inside,Untrust) static Host_ext_SAP_web access-list(Host_ext_SAP_web to servers)

and then you need to allow traffic with another access-list

I suppose your two external links are both connected to untrust. Right?

Henrik Grankvist · ‎11-02-2015

Run this packet tracer and post the result:

packet-tracer input Untrust tcp 8.8.8.8 456 196.25.199.38 80

The reason why you can't add another one is because you are doing a static NAT statement, you need to perform port-forwarding to reuse the same public IP address.

Example:

object service tcp-eq-80
 service tcp source eq 80

object service tcp-eq-443
 service tcp source eq 443

nat (Inside,Untrust) source static Host_Serveur_web Host_ext_SAP_web service tcp-eq-80 tcp-eq-80
nat (Inside,Untrust) source static Host_Serveur_web Host_ext_SAP_web service tcp-eq-443 tcp-eq-443

NAT Issue