cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1868
Views
0
Helpful
0
Comments
puseth
Level 1
Level 1

Trying to send the traffic from inside (higher security level) to outside (lower security level) using D-NAT & doing the Source Nat on the same Packet.

This has worked fine in 8.2 but in 8.3 this cannot work with Auto-NAT and hence we have to configure Twice NAT for this.

In this Example we send traffic from inside host 10.76.212.191 to 192.168.17.19 and this is D-NAt'd to 192.168.19.19 on Outside Interface and the Source address is Pat'd on Outside Interface ip address i.e 192.168.19.18.

192.168.17.x network in this case doesn't exist anywhere in my network.

ASA-4GE-SSM(config)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/1              inside                 192.168.16.18   255.255.255.0   CONFIG

Ethernet0/2             puneet-test          192.168.19.18   255.255.255.0   CONFIG

ASA-4GE-SSM(config)# sh nameif

Interface                Name                      Security

Ethernet0/1            inside                          100

Ethernet0/2            puneet-test               50

ASA-4GE-SSM(config)# show run route

route puneet-test 0.0.0.0 0.0.0.0 192.168.19.20

route inside 10.x.x.0 255.255.255.0 192.168.16.x

We configured this

“nat (inside,puneet-test) source dynamic any interface destination static d-nat real-ip”

object network d-nat

host 192.168.17.19

object network real-ip

host 192.168.19.19

Over here our objective is to hit the destination ip address of 192.168.17.19 and asa should d-nat it and should send the packet to 192.168.19.19.

And this is what we see in the debugs

ICMP echo request from inside:10.76.212.191 to puneet-test:192.168.17.19 ID=1 seq=22 len=32

ICMP echo request translating inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 <--- Src NAT Happening Here

ICMP echo request untranslating inside:192.168.17.19 to puneet-test:192.168.19.19 <--- Dst NAT Happening Here

ICMP echo reply from puneet-test:192.168.19.19 to inside:192.168.19.18 ID=53085 seq=22 len=32

ICMP echo reply translating puneet-test:192.168.19.19 to inside:192.168.17.19

ICMP echo reply untranslating puneet-test:192.168.19.18/53085 to inside:10.76.212.191/1

Packets captured on Inside and Puneet-Test Interface of the ASA

ASA-4GE-SSM(config)# sh cap capi

2 packets captured

   1: 07:49:42.216297 10.76.212.191 > 192.168.17.19: icmp: echo request

   2: 07:49:42.217609 192.168.17.19 > 10.76.212.191: icmp: echo reply

2 packets shown

ASA-4GE-SSM(config)# sh cap capo

2 packets captured

   1: 07:49:42.216617 192.168.19.18 > 192.168.19.19: icmp: echo request

   2: 07:49:42.217533 192.168.19.19 > 192.168.19.18: icmp: echo reply

2 packets shown

Xlate Table

ASA-4GE-SSM(config)# sh xlate

2 in use, 2 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from puneet-test:192.168.19.19 to inside:192.168.17.19

    flags sT idle 0:00:02 timeout 0:00:00

ICMP PAT from inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 flags ri idle 0:00:02 timeout 0:00:30

Syslogs from the ASA for TCP traffic

ASA-4GE-SSM(config)# sh log | in 10.76.212.191

%ASA-6-305011: Built dynamic TCP translation from inside:10.76.212.191/52656 to puneet-test:192.168.19.18/45538

%ASA-6-302013: Built outbound TCP connection 10400 for puneet-test:192.168.19.19/22 (192.168.17.19/22) to inside:10.76.212.191/52656 (192.168.19.18/45538)

Syslogs from the ASA for ICMP traffic

ASA-4GE-SSM(config)# sh log | in 10.76.212.191

%ASA-6-305011: Built dynamic ICMP translation from inside:10.76.212.191/1 to puneet-test:192.168.19.18/54707

%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.19.19/0 gaddr 192.168.19.18/53085 laddr 10.76.212.191/1

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.19.19/0 gaddr 192.168.19.18/53085 laddr 10.76.212.191/1

%ASA-6-305012: Teardown dynamic ICMP translation from inside:10.76.212.191/1 to puneet-test:192.168.19.18/53085 duration 0:00:30

-Puneet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: