Static NAT on ASA using IP from a unconnected subnet

Unanswered Question
Apr 27th, 2009
User Badges:

Hi,


Is it possible to create a NAT statement on an ASA that NATs a source address to an IP address that is not part of a subnet on the ASA?


I want to NAT a source address from the inside interface to a public IP address. I will configure a static route on the next hop (an extranet router attached to a public DMZ) for the NATed address pointing to the ASA interface.


Many thanks


Jason


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 04/27/2009 - 08:50
User Badges:
  • Purple, 4500 points or more

As long as you have a route for it in your ASA, the ASA doesn't care if it's a "local" subnet. If you can ping it from the ASA, you can create a static nat for it.


HTH,

John

clarke.jason Mon, 04/27/2009 - 09:05
User Badges:

Hi John,


I can't ping the public IP address I want to NAT the source IP address to - I am hoping that the ASA will just translate the source RFC1918 address to a public address.


The return traffic into the ASA will be achieved by configuring a static route on the router pointing to the translated public IP address via the ASA interface. So when the ASA received the packet it will translate it back to the real RFC1918 source address and route it back out the inside interface.


Cheers

Jason


John Blakley Mon, 04/27/2009 - 09:08
User Badges:
  • Purple, 4500 points or more

I'm not sure I follow. You want to nat an inside address out to a public address that you don't own?


Or do you own it, but to a different remote network?

clarke.jason Mon, 04/27/2009 - 09:18
User Badges:

this is a part of a migration exercise where we have nokia fws in place and we want to migrate the extranet connections off those fws onto the ASAs. Problem is all the remote connxs hanging off the nokias are expecting a public IP address that the Nokia translates to.

For management ease we want to move the connections over but keep the NAT translations so every remote destination does not have to update their fws.

So we own the public IP address but it is currently configured on another fw - we are just moving the NAT statements over but the ASA employs a different public IP range. hence the question - will the ASA still translate the source RFC1918 addresses to a public address that is not configured within any of its interface subnet ranges.

John Blakley Mon, 04/27/2009 - 09:35
User Badges:
  • Purple, 4500 points or more

Jason,


You won't be able to nat to a public address that you don't have on the box.


HTH,

John

clarke.jason Mon, 04/27/2009 - 09:38
User Badges:

hi John,


Ahhh - that is not good news.... the ASA takes the configuration, I tried it and it excepts it and shows the entry in the 'show nat' command!


Thank you for your help.


Cheers

Jason

John Blakley Mon, 04/27/2009 - 09:45
User Badges:
  • Purple, 4500 points or more

If you can get it to work, please post back here and others might learn from it :)

John Blakley Mon, 04/27/2009 - 09:44
User Badges:
  • Purple, 4500 points or more

Jason,


I'm not sure how comfortable you are in the ASA, so if I'm touching on something that you know, please forgive me.


If you have a static address that you own on the ASA (5.5.5.1), and you have the complete class c space 5.5.5.0/24, you can have individual devices nat out as 5.5.5.x by doing the following:


global (outside) 1 interface

nat (inside) 1 0 0


The above will translate everything on the inside to whatever address is on your public interface. If you want to use more addresses, then you can do the following:


global (outside) 2 5.5.5.5

global (outside) 3 5.5.5.6

nat (inside) 2 10.15.0.0 255.255.255.0

nat (inside) 3 10.16.1.0 255.255.255.0


This will have 10.15.0.0/24 use 5.5.5.5 as the natted address, and 10.16.1.0/24 will use 5.5.5.6 as its natted address.


Does that help at all?


If you're wanting to nat your address as something that you don't own on the other end because the other end is expecting a certain public address and you don't have that public address, I'm not sure the best way to handle that because your ISP (if you're going through the internet to get there and not p2p links) will need to be able to route this address. Once the traffic leaves your network as natted to another address that your provider doesn't expect, I would think they would drop the traffic.


HTH,

John



clarke.jason Mon, 04/27/2009 - 09:53
User Badges:

hi John,


I am thinking the following - the remote network already knows about the public IP address that I want to NAT to as it is already in use on the nokia fws - so all I am doing is moving the LAN connection of the Extranet router from one fw to another and therefore changing the LAN IP address to sit on the ASA DMZ LAN. If I add a static route to the extranet firewall for the NATed public IP address via the new ASA DMZ interface, then the remote connection could still route to the public IP. So routing isn't an issue, its whether or not the ASA will translate the RFC1918 source addresses to a public IP that is not configured on the DMZ interface subnet. As I said it excepts the configuration.... logically it should work as it's only NATing the source address so it doesn't have to route for that public IP....


Will let you know what happens - thanks for your help.

Actions

This Discussion