NAT funda- Need help

Unanswered Question
Mar 30th, 2010
User Badges:

Hi, I have one ASA which is connected with point-2-point link of one vendor (10.8.8.0/24). My internal network range is 10.40.71.0/24, 10.80.71.0/24,10.81.71.0/24, 10.50.71.0/24 & 10.45.71.0/24.


My motto is I want to hide my internal network and it should be replaced with 172.19.x.0/24 subnet before leaving my ASA. I have configured one policy for 10.40.71.0/24 subnet. Now I have two questions.


1. Below configuration will work? If Vendor will hit on 172.19.194.14, will it routed to my internal server 10.40.71.14?

2. How I have to work for rest subnet? I have to create other new NAT subnet like 172.19.195.x, 172.19.196.x ..?



My current confi is --


name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rupesh Kashyap Tue, 03/30/2010 - 04:28
User Badges:

You mean, I have to do the conf as below-


name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV


Now I have one confusion. If Vendor will hit 172.19.194.15 IP, then it will route to which interal IP ?

The config is correct.


The ASA has an internal Translation table - is tracks the use of internal/external IP addresses.  For each translation that takes place the ASA will put and entry into the table.


Each connection has a specific ephemeral internal port used for reference and tracking on source & desintation NAT IP address.


You can view this table @ the cli in enable mode type "show xlate"


HTH>

Rupesh Kashyap Tue, 03/30/2010 - 04:38
User Badges:

Agreed. My question is, My call server IP is 10.81.71.15 & I have opned 10.40.71.0,10.80.71.0 & 10.81.71.0. So If Vendor will hit 172.19.194.15, how it will reach 10.81.71.15? It can also hit 10.40.71.15 & 10.80.71.15..


This is the only confusion for me? What you suggest?

As I said the ASA has a NAT translation table - source and IP address in the NAT table are logged and tracked.


The ASA has a statefull firewall connection table - on ALL incoming/outgoing connections thru the decvice.  The ASA will track all connections and make sure the traffic reaches the correct host.

Rupesh Kashyap Tue, 03/30/2010 - 04:53
User Badges:

The problem is, Vendor will initiate the connection for our Call server. We have allowed three subnet in a single ACL, so if Vendor will hit our call server, on which internal IP it will routed?

If you want anyone on the outside to connect specifically to your call server - you either create a specific PAT translation based on desintation port (the specific port or ports your call server is listening one) or you create a specific 1:1 nat for that internal server.


I would create a pool of addreses for all other hosts, and a specific static translation for the call server.

droeun141 Tue, 03/30/2010 - 12:05
User Badges:

If the vendor hits 172.19.194.15, which one of the subnets does it translate to by default, if PAT isn't configured?

Which ever internal server initiated the connection to the vendor.


If no connection exists, the connection will not pass thru.


BASIC NAT - if no outbound connection has been made, no return/initiated traffic will be permited.  The exception to this rule is when there is a static PAT or static NAT, no initial outbound connection is required.


HTH>

Andrew.

droeun141 Thu, 04/01/2010 - 09:14
User Badges:

He's using a policy-based NAT though, both sides can trigger the NAT policy (doesn't have to initiate from inside, and don't need static NAT or PAT).


If he only had one entry:


name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV


This basically says that anything coming from 10.40.71.0/24 going to 10.8.8.0/24 - rewrite the source to 172.19.194.0/24.  The same is true if the traffic sources from the outside - anything coming from10.8.8.0/24 going specifically to 172.19.194.0/24 would translate 1-to-1 to the whole 10.40.71.0/24 range (194.15 would become 71.15, 194.101 would become 71.101, etc.).  We used to do this all the time without any problems.


The confusion comes from when adding additional entries into an existing NAT rule - what happens if there isn't a static entry configured?


name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

Actions

This Discussion