Solved: Re: ASA 5525, please confirm syntax of NAT statement.

jmaxwellUSAF · ‎02-14-2023

I researched an old TAC case that solved similar problem to a current problem. In TAC notes is below info...

"What we did was create a twice nat statement, where we nated the SERVER1_SFTP object network into the interface ip of the outside interface.
After that we created an object network for the destination and nated that ip into itself. Here is the configuration for your reference:

object network SERVER1_SFTP
host 172.16.0.1
object network 1.1.1.1
host 1.1.1.1
nat (Inside,Outside) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1"

It seems to me that the NAT snippet "SERVER1_SFTP interface" is incorrect. I expect it should read something like. "SERVER1_SFTP SERVER1_SFTP"or "SERVER1_SFTP Outside"

May you please confirm correctness of above NAT statement?

If incorrect, may you please provide correction?

Thank you.

Rob Ingram · ‎02-14-2023

@jmaxwellUSAF if you specify "interface" in the NAT rule it will take the IP address of the interface. So here is your example:-

show run interface gig0/1

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 7.7.7.7 255.255.255.0

show nat detail

3 (INSIDE) to (OUTSIDE) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.0.1/32, Translated: 7.7.7.7/24
Destination - Origin: 1.1.1.1/32, Translated: 1.1.1.1/32

2. that using "interface" in the NAT (as you have) it will use the interface IP address (as example above confirms)

I would have thought you probably already have a dynamic PAT rule that hides the internal traffic behind the outside interface IP address used for internet access, so that new rule may not actually be required.

View solution in original post

Rob Ingram · ‎02-14-2023

@jmaxwellUSAF It's not necessarily incorrect, it will work, it depends on what you wanted to achieve. You are translating the source IP to the interface IP.

What IP address is the destination expecting to receive traffic from?

You can use the interface IP address or the original IP (172.16.0.1) or specify an object of another IP.

jmaxwellUSAF · ‎02-14-2023

I am 80% certain that the destination is expecting to receive traffic from the public IP of the local enterprise = 7.7.7.7. because they have only whitelisted 7.7.7.7

1. In "SERVER1_SFTP interface", shouldn't "interface" actually be a specific nameif, such as "Outside" , or an ip address?

2. May you please correct below code to succeed in goal discussed in quotes in original post?

"nat (Inside,Outside) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1"

Rob Ingram · ‎02-14-2023

@jmaxwellUSAF

1. if you specifiy "interface" it will use the IP address of interface as specified in the command "nat (inside,outside) ..............."

2. assuming 7.7.7.7 isn't an interface IP? then use this...

object network NAT-IP
host 7.7.7.7

nat (Inside,Outside) source static SERVER1_SFTP NAT-IP destination static 1.1.1.1 1.1.1.1

jmaxwellUSAF · ‎02-14-2023

"1. if you specifiy "interface" it will use the IP address of interface as specified in the command "nat (inside,outside) ...............""

- I don't understand above statement. You say: "if you specify "x" then it will use the ip address of "x" as specified in the command "(string_with_many_different_items, and the only actual IP address is illogically the destination 1.1.1.1)" Please clarify.

2. assuming 7.7.7.7 isn't an interface IP? 7.7.7.7 is the ASA's outside www facing interface.

Please assist? Thank you.

Rob Ingram · ‎02-14-2023

@jmaxwellUSAF if you specify "interface" in the NAT rule it will take the IP address of the interface. So here is your example:-

show run interface gig0/1

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 7.7.7.7 255.255.255.0

show nat detail

3 (INSIDE) to (OUTSIDE) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.0.1/32, Translated: 7.7.7.7/24
Destination - Origin: 1.1.1.1/32, Translated: 1.1.1.1/32

2. that using "interface" in the NAT (as you have) it will use the interface IP address (as example above confirms)

I would have thought you probably already have a dynamic PAT rule that hides the internal traffic behind the outside interface IP address used for internet access, so that new rule may not actually be required.

jmaxwellUSAF · ‎02-15-2023

Hi. When implementing code...

#nat (Inside,Outside) source static MY_SERVER Outside destination static VENDOR_SERVER Vendor_SERVER

I receive error...

# nat (Inside,Outside) source static MY_SEVER $
ERROR: Outside doesn't match an existing object or object-group

I tried, with error...

# object network OUTSIDE_INTERFACE_7.7.7.7
# host 7.7.7.7
# nat (Inside,Outside) source static MY_SERVER OUTSIDE_INTERFACE_7.7.7.7 destination static VENDOR_SERVER Vendor_SERVER
ERROR: Address 7.7.7.7 overlaps with Outside interface address.
ERROR: NAT Policy is not downloaded

Please assist? Thank you.

Rob Ingram · ‎02-15-2023

@jmaxwellUSAF you don't specify the interface name (outside or whatever), you just specify the keyword interface the ASA will determine the real interface to use.

nat (inside,outside) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1

Sheraz.Salim · ‎02-15-2023

try this.

nat (Inside,Outside) source static MY_SERVER Interface destination static VENDOR_SERVER Vendor_SERVER

please do not forget to rate.

MHM Cisco World · ‎02-14-2023

nat (Inside,Outside) source static SERVER1_SFTP interface destination static 1.1.1.1 1.1.1.1 <<- I dont see before but why you use NAT 1:1 SERVER1_SFTP interface

jmaxwellUSAF · ‎02-14-2023

I'm using strategy of replicating old solution that solved almost identical problem. I do not completely understand what I am doing here.