11-21-2016 11:26 PM
Hello,
a question about NAT:
we've got a ASA5506 at a Partner-Site and need to NAT the address of the internal Interface (172.30.2.4) to an address 172.21.1.1 ONLY when traffic-destination is 192.168.220.128/25
Now I've got a NAT-Rule for one Destination in the 192.168.220.128/25 that looks like this:
nat (any,any) source static 172.30.2.4 172.21.1.1 destination static 192.168.220.133 192.168.220.133
(object names replaced with ip-addresses)
This works only in the one direction (from HQ to Branch) but not from Branch to HQ.
Could anyone help me please?
Thanks in advance
Karl
11-22-2016 07:54 PM
Hi Karl,
The first thing i will try here will be specify the interfaces on the nat:
nat (HQ,Branch) source static 172.30.2.4 172.21.1.1 destination static 192.168.220.133 192.168.220.133 no-proxy-arp
Keep in mind this type of nat works bidirectional.
Hope this info helps!!
Rate if helps you!!
-JP-
11-23-2016 11:48 PM
Hello JP,
thanks for your answer, but this doesn't work. I've tried every thinkable combination about interfaces.
Again:
from HQ (ASA5510) to BRANCH (ASA5506) everything works.
from BRANCH to HQ the traffic from the BRANCH LAN (dynamic NAT) works too.
from Management-Interface (inside) of BRANCH to HQ doesn't work (needed for ntp and syslog)
from Network-object 172.21.1.1 to HQ works.
here's a "sh nat detail":
"
Manual NAT Policies (Section 1)
1 (any) to (any) source static INSIDE-IP BDHeim_MGMT destination static NAT_BVK NAT_BVK no-proxy-arp
translate_hits = 0, untranslate_hits = 335
Source - Origin: 172.30.2.4/32, Translated: 172.21.1.1/32
Destination - Origin: 192.168.220.128/25, Translated: 192.168.220.128/25
Auto NAT Policies (Section 2)
1 (any) to (any) source static BD_PRINTER PRINTER_NAT_IP
translate_hits = 0, untranslate_hits = 114
Source - Origin: 172.28.73.34/32, Translated: 172.21.1.20/32
2 (any) to (any) source dynamic BD_LAN Client_HIDE_IP
translate_hits = 37887, untranslate_hits = 0
Source - Origin: 172.28.0.0/16, Translated: 172.21.1.10/32"
I attach the "relevant" config of the BRANCH-ASA, maybe someone has a clue
11-24-2016 05:31 AM
I don't see the changes on the config, i still see any any on the nat which is not a best practice, can you change the any any for the source interface and destination interface of the nat (Branch,HQ).
After that can you run a packet tracer on the Branch ASA:
packet-tracer input Branch icmp 172.30.2.4 8 0 192.168.220.129 detail
Also i can see you are doing a nat of 172.20.2.4 to 172.28.73.34 is that right?
Can you also share the ACL applied on the cryptomap as interesting traffic and a show crypto ipsec sa peer <ip> on the Branch ASA?
Hope this info helps!!
Rate if helps you!!
-JP-
12-07-2016 01:45 AM
sorry, had some days off:
1. if I restrict the nat-rule to (inside,outside) the traffic from HQ to Branch doesn't work anymore.
2.
bduerkheim# packet-tracer input inside tcp 172.30.2.4 1111 192.168.220.133 123$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,any) source static 172.30.2.4 172.21.1.1 destination static 192.168.220.128 192.168.220.128 no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.220.133/123 to 192.168.220.129/123
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f063762d120, priority=501, domain=permit, deny=true
hits=128, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.2.4, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Edit: i'm wondering about Phase 2: shouldn't be there "NAT"?
3: again: Ive got 2 more NAT- Rules:
object network 172.28.0.0/16
nat (any,any) dynamic 172.21.1.10
object network 172.28.73.34
nat (any,any) static 172.21.1.20
they are working properly and ssh from 192.168.220.133 to 172.21.1.1 also
12-08-2016 03:33 AM
other Question:
could it be, that the ASA doesn't nat traffic originated by itself? or by one of the interfaces?
Is there a way to create some "virtual" management-interface?
12-08-2016 04:52 AM
ok, I've made a sub-interface on the inside-if with the IP of the NAT-object.
so the problem, was, that the ASA doesn't translate traffic originated by it self.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: