Trying to send the traffic from inside (higher security level) to outside (lower security level) using D-NAT & doing the Source Nat on the same Packet.
This has worked fine in 8.2 but in 8.3 this cannot work with Auto-NAT and hence we have to configure Twice NAT for this.
In this Example we send traffic from inside host 10.76.212.191 to 192.168.17.19 and this is D-NAt'd to 192.168.19.19 on Outside Interface and the Source address is Pat'd on Outside Interface ip address i.e 192.168.19.18.
192.168.17.x network in this case doesn't exist anywhere in my network.
ASA-4GE-SSM(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/1 inside 192.168.16.18 255.255.255.0 CONFIG
Ethernet0/2 puneet-test 192.168.19.18 255.255.255.0 CONFIG
ASA-4GE-SSM(config)# sh nameif
Interface Name Security
Ethernet0/1 inside 100
Ethernet0/2 puneet-test 50
ASA-4GE-SSM(config)# show run route
route puneet-test 0.0.0.0 0.0.0.0 192.168.19.20
route inside 10.x.x.0 255.255.255.0 192.168.16.x
We configured this
“nat (inside,puneet-test) source dynamic any interface destination static d-nat real-ip”
object network d-nat
host 192.168.17.19
object network real-ip
host 192.168.19.19
Over here our objective is to hit the destination ip address of 192.168.17.19 and asa should d-nat it and should send the packet to 192.168.19.19.
And this is what we see in the debugs
ICMP echo request from inside:10.76.212.191 to puneet-test:192.168.17.19 ID=1 seq=22 len=32
ICMP echo request translating inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 <--- Src NAT Happening Here
ICMP echo request untranslating inside:192.168.17.19 to puneet-test:192.168.19.19 <--- Dst NAT Happening Here
ICMP echo reply from puneet-test:192.168.19.19 to inside:192.168.19.18 ID=53085 seq=22 len=32
ICMP echo reply translating puneet-test:192.168.19.19 to inside:192.168.17.19
ICMP echo reply untranslating puneet-test:192.168.19.18/53085 to inside:10.76.212.191/1
Packets captured on Inside and Puneet-Test Interface of the ASA
ASA-4GE-SSM(config)# sh cap capi
2 packets captured
1: 07:49:42.216297 10.76.212.191 > 192.168.17.19: icmp: echo request
2: 07:49:42.217609 192.168.17.19 > 10.76.212.191: icmp: echo reply
2 packets shown
ASA-4GE-SSM(config)# sh cap capo
2 packets captured
1: 07:49:42.216617 192.168.19.18 > 192.168.19.19: icmp: echo request
2: 07:49:42.217533 192.168.19.19 > 192.168.19.18: icmp: echo reply
2 packets shown
Xlate Table
ASA-4GE-SSM(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from puneet-test:192.168.19.19 to inside:192.168.17.19
flags sT idle 0:00:02 timeout 0:00:00
ICMP PAT from inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 flags ri idle 0:00:02 timeout 0:00:30
Syslogs from the ASA for TCP traffic
ASA-4GE-SSM(config)# sh log | in 10.76.212.191
%ASA-6-305011: Built dynamic TCP translation from inside:10.76.212.191/52656 to puneet-test:192.168.19.18/45538
%ASA-6-302013: Built outbound TCP connection 10400 for puneet-test:192.168.19.19/22 (192.168.17.19/22) to inside:10.76.212.191/52656 (192.168.19.18/45538)
Syslogs from the ASA for ICMP traffic
ASA-4GE-SSM(config)# sh log | in 10.76.212.191
%ASA-6-305011: Built dynamic ICMP translation from inside:10.76.212.191/1 to puneet-test:192.168.19.18/54707
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.19.19/0 gaddr 192.168.19.18/53085 laddr 10.76.212.191/1
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.19.19/0 gaddr 192.168.19.18/53085 laddr 10.76.212.191/1
%ASA-6-305012: Teardown dynamic ICMP translation from inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 duration 0:00:30
-Puneet