outside nat (destination nat)

Unanswered Question
Mar 8th, 2010

Hello

It is my first post here, so sorry if I'll mess up something.

I have rather simple thing, but I've lost hours trying to implement it on FWSM.

I need to configure NAT on destination IP address only for requests coming from outside.

The packet which will hit the firewall looks like:

SRC: 10.111.0.0/23

DST: 192.168.252.10

It will hit outside interface with security level 20

I want the firewall to translate the DST IP of that packet, so the packet on the inside interface will looks like:

SRC: 10.111.0.0/23

DST: 10.100.14.10

==================

Then the server 10.100.14.10 has route to 10.111/23 and will reply to the firewall, and I expect that the firewall will use it's xlate table to NAT back that packet so it will looks like it originated from 192.168.252.10. Unfortunately no answer from the server (Bs flags)

Here is the config:

static (inside,outside) 192.168.252.10 10.100.14.10

I got hitcounts on the access-list from the outside, and I got xlate entry and a connection entry.

fwsm/fw# show xlate debug | inc 192.168.252
NAT from inside:192.168.252.10 to outside:192.168.252.10 flags Ii idle 0:01:28 timeout 3:00:00 connections 0

show conn | inc 192.168.252
TCP out 10.111.127.26:50689 in 192.168.252.10:80 idle 0:00:10 Bytes 64 FLAGS - Bs

Can someone enlighten me, what I'm doing wrong? Should I have to use policy NAT in order to do 1 to 1 NAT on destination IP address only?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 03/08/2010 - 15:55

Hi,

The static command that you have:
static (inside,outside) 192.168.252.10 10.100.14.10

What is saying is that if somebody hits 192.168.252.10 from the outside, the Firewall
will translate that IP to 10.100.14.10 and viceversa

Is 10.100.14.10 part of the inside of the Firewall?
In other words, is 10.100.14.10 the real IP for the internal device?
Can you get out to through the Firewall and get a response if you source the packet from
10.100.14.10?

You mentioned that the FW has a route to 10.111.x.x (where the packet is coming from),
but the 10.100.14.10 device has a route to 10.111.x.x pointing to the Firewall?

Federico.

scavdarov Mon, 03/08/2010 - 22:47

Thanks Federico!

10.100.14.10 is on the inside.

Yes, it is IP of a real device.

Yes, I see connections made from 10.100.14.10 on another interfaces. I dont have access to that host to try to source a packet from it.

Yes, the device has a correct route to 10.111.x.x.

What the firewall doesn't have is a correct route to 192.168.252.x. It has a default route.

The 192.168.252.x addresses are used only for NAT (there's no hosts with such IP addresses)

How can I check what is the packet destination IP address after the NAT? Is that info in xlate table? I dont quite understand this info in xlate table:

NAT from inside:192.168.252.10 to outside:192.168.252.10 flags Ii idle 0:00:29 timeout 3:00:00 connections 1

Last question: If the firewall dropped the packet due to routing issue, will I always see syslog message example: "ASA-6-110001: No route to a.a.a.a from b.b.b.b", or that is not the case? I do not see that message in syslog.

Thanks!

scavdarov Tue, 03/09/2010 - 03:22

Hi

I had some sleep, and first thing in the morning removed that line and re-applied it again.

Now I have the correct xlate entry:

NAT from inside:10.100.252.10 to outside:192.168.252.10 flags si idle 0:00:33 timeout 0:01:00 connections 0

Note that the "s" flag is in xlate, compared to I flag, and the IP addresses are correct.
Honestly I dont know what I had wrong there, and I'm sure I've tested last night with this config and didn't work.

Thanks for your help!

Actions

This Discussion

Related Content