cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1350
Views
10
Helpful
6
Replies

Accessing NATTED subnet from Outside?

CiscoBrownBelt
Level 6
Level 6

So I have a subnet/object  let's say:

obj_10.10.10.0 255.255.255.0

nat (any,outside) dynamic interface

 

Seems having issue from Outside accessing it.

My ACL for Outside permits the the source to the obj_10.10.10.0

Packet-tracer is failing at "RPF-CHeck Action Drop".

What must I change?

 

6 Replies 6

I am not even sure. I don't know if it just fails in packet-tracer because I am using the Real IP destination address of INSIDE hosts given that subnet is NATTED.

Also, I need that entire subnet to be accessed via many different ports so I don't think doing the NAT statement not under the object would do the trick.

Shakti Kumar
Cisco Employee
Cisco Employee

Hi,

 

Let me first explain what does nat (any,outside) dynamic interface means for object obj_10.10.10.0 255.255.255.0

 

looking at the flow defined by the nat rule "nat (any,outside)" this means that any traffic coming from any interface going towards outside interface will be patted (Port Address Translation) to the interface IP of the outside interface.

 

PAT because of its nature is unidirectional flow meanining the above statement is pretty strict about the flow (any,outside) when you initiate the traffic from outside the flow would be something like (outside,any) .

 

I understand so far that you want a static nat or a static pat(port redirection)

 

refer to this document

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#92074

 

Or you can mention your specification I can help you to design a nat rule

 

Thanks

Shakti

 

 

Shakti Kumar
Cisco Employee
Cisco Employee
 

Hi thanks!

 

I am not sure what you mean by "Everyone tags"?

I just need multiple Outside subnets to be able to communicate with that internal 10.10.10.0_object. I am not sure if the problem is the FW. Given the current dynamic PAT statment I referenced, Outside subnets should be allowed to hit it as long as their is an Outside rule permitting to the real 10.10.10.0_object correct?

hi,

 

With the current nat 10.10.10.0_object will be patted to the interface address of the outside interface when going outside.

 

Thanks

Shakti