Strange requirement of NO-NAT - NAT (0)

Unanswered Question
Sep 18th, 2008
User Badges:

Hi,

We are having a little odd requirement in ASA configuration. We are implementing microsoft office communicator over internet. The server need to have two ethernet cards one with publically routeable IP address ( Public static IP address ) and one a private IP address. We have placed the server in the DMZ region of ASA. Which has a security level as 50 and ip address as 10.200.0.1 /24. Now the second ethernet card of server needs to be given a static IP which obviously matches to our outside interface IP address subnet. ( ourside ip address : a.b.c.d1 /24 ) and server card is also given a IP the same range a.b.c.d2 /24. We need to forward the packet received on outside i/f with destination IP as a.b.c.d2 without changeing the destination IP address to server. This can be done by satatic(dmz,outside) a.b.c.d2 a.b.c.d2 command.

But our problem is how will the server return this packet as we are not able to give the default gateway to this card and also not able to connet. How can ASA be configured so that packets can be forwarded from outside to DMZ and also from DMZ to outsie. ( server card IP address matches with outside i/f subnet).

Appreciate example on cisco.com.

Thanks in advance.

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Just curious? why does the OCS server need 2 nics? why cant it just use 10.200.1.20/24 and be natted to a public ip?


Any way if I understand the return traffic is breaking because the server is not directly connected to its default gateway?


my answer...


HIDE NAT!!!


nat the external source to an ip the server will think is LOCAL. this is usually done by PAT'ing the 4.2 billion or so odd IPv4 space to a single ip address that can be routed from the server to any IP address on its local segment... confused yet? good, I wouldn't want to make this less fun :)


say you do the dmz nat your doing (fine)


now do another...


access-list 101 permit ip any host 63.101.1.1

(yes let 63.101.1.1 be the public ip of the OCS server)


nat (outside) 10 access-list 101 outside

global (dmz) 10 1.1.1.1


now on the server


-------------------------------------------


add secondary IP of 10.200.0.1 to the nic on the same broadcast domain of asa


route add 1.1.1.1 mask 255.255.255.255 10.200.0.1


basically my solution lets the server respond to another IP that you control the response side, etc. and its presented via source nat of the inbound traffic.


-Joe

bapatsubodh Thu, 09/18/2008 - 10:48
User Badges:

Hi Joe,

Thanks for you feedback. I am attaching here the diagram from Microsoft. we are actually using accessedge , webconference and a/v edge servers to publish OCS on internet. Here we have the servers having two ethernet interfaces. In our case we are considering only DMZ and Outside ( left side firewall ). Second ethernet card of server is directly connected to inside switch. In our case A/V server ( audio- video -server) needs to have one card to have a publically routeable static IP address. ( in our case same subnet as that of outside interface ). So how do we connect the server as it wont find the return path. If the packet undergoes Nat travelsal audio and vidio session is not getting established.

What I understood from what you have suggested is the following.

let us assume : Public address is 63.101.1.1

Then i will do static

static(dmz,outside) 63.101.1.1 63.101.1.1

This will do the destination NAT in our case no nat , destination IP address will not be changed. Now with access-list,nat and global we will do source NAT


access-list 101 permit ip any host 63.101.1.1

( marks all packets with destination IP as 63.101.1.1) then we do nat and global


nat (outside) 10 access-list 101 outside

global (dmz) 10 1.1.1.1


That means packet that will hit the server will have the same dest. IP address ( 63.101.1.1) but will have source ip address as 1.1.1.1

And server will send the packet in return to 1.1.1.1 with default gateway as the dmz inteface.


(This is what I feel will take place. Destination IP will remain same and source IP will change to 1.1.1.1)


Please correct me if I am wrong.

Please check the document and suggest.

Thanks in advance

Subodh




bapatsubodh Fri, 09/26/2008 - 07:32
User Badges:

hi,

We are currently struck up with the same problem. We have analysed the logs using the protocol analyser. What is happening is user on the internet get the private ip address of second user and thus voice call is not getting through. Till now I have not understood how this thing works. Microsoft documents states all the servers behind firewall and also should have publically routeable address. ( funny is'nt it). One answer was conncet the server directly to outside world. ( that is more funny) We have registered a case with microsoft and updates are expected by monday ( Sept,29,2008 indian time and date , Microsoft does not work on week ends !! ). Once i have updates I will post it here of shall I mail you at your mail address.

Thanks

Subodh

Actions

This Discussion