Hide / Dynamic Inbound PAT/NAT

Answered Question
Aug 11th, 2008
User Badges:

Does an ASA support hide / dynamic PAT/NAT from the outside interface to the inside interface and how is it configured?

please configure


"no nat-control"


on this ASA, or


give the inside -> outside direction a nat translation.


With nat-control enabled the inside hosts require a nat translation once nat has been configured when going from a high security to lower security interface.


In your case you can optionally leave nat-control enabled, and configure a static to itself or use nat 0


option 1.


static to itself


static (inside, outside) 192.168.1.0 192.168.1.0 255.255.255.0




option 2.


nat 0


nat (inside) 0 access-list nonat


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0


-Joe

"Why so serious"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhananjoy chowdhury Mon, 08/11/2008 - 20:45
User Badges:
  • Silver, 250 points or more

Hi,

You can do a port redirection from outside to Inside or DMZ


If the want to achieve this :

- traffic coming to Outside IP A.B.C.D on port 80 should be redirected to the inside IP 192.168.1.10 on port 80

- traffic coming to Outside IP A.B.C.D on port 443 should be redirected to the inside IP 192.168.1.20 on port 443


the use these commands :-

static (Inside,Outside) tcp A.B.C.D 80 192.168.1.10 80

static (Inside,Outside) tcp A.B.C.D 443 192.168.1.20 443

dave-taylor Mon, 08/11/2008 - 20:50
User Badges:

Thanks for the reply, not exactly what I want. What I'm trying to do is changethe source address destine for A.B.C.D to an internally routed address so that I don't have to route external addresses on my internal network.


x.x.x.x -> a.b.c.d (firewall) y.y.y.y -> a.b.c.d

all too easy.


start with this concept.


ciscoasa# show run | inc nat|global

global (inside) 2 interface

nat (outside) 2 0.0.0.0 0.0.0.0 outside


Here we will nat the outside address (in this case ANY will be natted when source is outside)


we are natting to the inside interface ip.


you can do this in your environment if you want a friendly ip instead.


ciscoasa# show run | inc nat|global

global (inside) 2 10.7.7.7

nat (outside) 2 0.0.0.0 0.0.0.0 outside


then on the router facing the asa inside interface


ip route 10.7.7.7 255.255.255


-Joe

dave-taylor Mon, 08/11/2008 - 21:54
User Badges:

Thanks Joe.


That was pretty close to the way I configured it on the ASA (didn't have "outside" at the end of the nat statement originally) but it still does not work.


%ASA-6-199002: Startup completed. Beginning operation.

%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-7-609001: Built local-host outside:172.16.0.50

%ASA-7-609001: Built local-host inside:192.168.1.1

%ASA-6-305011: Built dynamic TCP translation from outside:172.16.0.50/1041 to inside:192.168.1.2/1024

%ASA-3-305005: No translation group found for tcp src outside:172.16.0.50/1041 dst inside:192.168.1.1/2

3

%ASA-7-609002: Teardown local-host inside:192.168.1.1 duration 0:00:00

%ASA-7-609001: Built local-host inside:192.168.1.1

%ASA-3-305005: No translation group found for tcp src outside:172.16.0.50/1041 dst inside:192.168.1.1/2

3

%ASA-7-609002: Teardown local-host inside:192.168.1.1 duration 0:00:00

Lab-ASA#



Lab-ASA# show run

: Saved

:

ASA Version 7.2(2)

!

hostname Lab-ASA

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

access-list Out-In extended permit tcp 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (inside) 2 192.168.1.2

nat (outside) 2 172.16.0.0 255.255.255.0 outside

access-group Out-In in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Lab-ASA#


Correct Answer

please configure


"no nat-control"


on this ASA, or


give the inside -> outside direction a nat translation.


With nat-control enabled the inside hosts require a nat translation once nat has been configured when going from a high security to lower security interface.


In your case you can optionally leave nat-control enabled, and configure a static to itself or use nat 0


option 1.


static to itself


static (inside, outside) 192.168.1.0 192.168.1.0 255.255.255.0




option 2.


nat 0


nat (inside) 0 access-list nonat


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0


-Joe

"Why so serious"

Actions

This Discussion