NAT ASA destination address

Unanswered Question
Nov 14th, 2008
User Badges:

Hi


I am using a ASA 5540 running version 7.2(3) and would like to pass all http and https requests coming from the inside of the ASA to an external proxy server on the internet (All request need to pass to port 8080). I've tried using static commands but can only seem to NAT on the inside source address and not the destination address. Have also tried the same using dynamic NAT but again can only NAT on the source address.

Is there a way of NATing the destination address when coming from the inside of firewall?

Alternatively, if anyone can suggest another way of diverting http requests to a proxy server on the internet that would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 11/14/2008 - 07:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

static (outside,inside) 195.167.17.1 195.167.17.1 netmask 255.255.255.255


Or if you want to present the external address as an internal address


static (outside,inside) 192.168.5.1 195.167.17.1 netmask 255.255.255.255


where 192.168.5.1 is your internal address.


Jon

dbowley Fri, 11/14/2008 - 07:14
User Badges:

All internal users come from a private address range 10.10.10.x/24 and could potentially try to access any web page on the internet, but the destination needs to be natted to a proxy server address on the internet to process the web request.

Jon Marshall Fri, 11/14/2008 - 07:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I do not have a pix/asa handy so i can't tell you whether this will work. You would need to test it - i have my doubts.


access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq http

access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq https


static (outside,inside) 195.167.17.1 access-list PNAT


Could you not do as Colin suggests and just modify the browser settings - think this would be a lot easier.


Jon

dbowley Fri, 11/14/2008 - 08:08
User Badges:

I've tried the above configuration and no success.


Would like to modify the browser settings, but have over 200 users and the department that rolls out our group policies for windows is having issues updating the browsers.


To get the nat changed by destination would be good.

John Blakley Fri, 11/14/2008 - 10:14
User Badges:
  • Purple, 4500 points or more

You can try:


static (inside,outside) tcp public ip 8080 10.10.10.0 8080 netmask 255.255.255.0



OR


static (inside,outside) tcp 8080 10.10.10.0 80 netmask 255.255.255.0


I'm wondering if the browser is going out default 80 and you have to translate out to 8080.



--John

dbowley Mon, 11/17/2008 - 04:30
User Badges:

I've tried this configuration and get an error message that global address overlaps with mask. Does anyone have any other suggestions?

dbowley Mon, 11/17/2008 - 05:23
User Badges:

Ideally I'd like to put in the following configuration:


access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 80

access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 443


static (outside,inside) access-list PROXY_NAT


Syntax-wide this isn't possible, but I hope it describes a little more clearly what I'm trying to do.


Collin Clark Fri, 11/14/2008 - 07:06
User Badges:
  • Purple, 4500 points or more

Could you set the browser settings for the proxy?

yuchenglai Fri, 01/01/2010 - 14:00
User Badges:

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).


For example, my Cisco ASA 5505 took gave no errors when I entered the following:


Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat


The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105

Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.


However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.


Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat


The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"


In my experience, it is, however, possible to map/translate more than one "real" IP addresses to one mapped/translated IP address using dynamic policy NAT.  So for example, the following was accepted by my ASA with no errors.


Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnat

global (outside) 2 192.168.1.253


If anyone knows how to translate or map multiple IP addresses to a single IP address using static policy NAT, please do share.


Best Regards,

David

Actions

This Discussion