cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
0
Helpful
11
Replies

NAT funda- Need help

Rupesh Kashyap
Level 1
Level 1

Hi, I have one ASA which is connected with point-2-point link of one vendor (10.8.8.0/24). My internal network range is 10.40.71.0/24, 10.80.71.0/24,10.81.71.0/24, 10.50.71.0/24 & 10.45.71.0/24.

My motto is I want to hide my internal network and it should be replaced with 172.19.x.0/24 subnet before leaving my ASA. I have configured one policy for 10.40.71.0/24 subnet. Now I have two questions.

1. Below configuration will work? If Vendor will hit on 172.19.194.14, will it routed to my internal server 10.40.71.14?

2. How I have to work for rest subnet? I have to create other new NAT subnet like 172.19.195.x, 172.19.196.x ..?

My current confi is --

name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

11 Replies 11

andrew.prince
Level 10
Level 10

The ASA should handle this as PAT addressing, the only thing you need to do is add your other internal networks to the access list.

HTH>

You mean, I have to do the conf as below-

name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

Now I have one confusion. If Vendor will hit 172.19.194.15 IP, then it will route to which interal IP ?

The config is correct.

The ASA has an internal Translation table - is tracks the use of internal/external IP addresses.  For each translation that takes place the ASA will put and entry into the table.

Each connection has a specific ephemeral internal port used for reference and tracking on source & desintation NAT IP address.

You can view this table @ the cli in enable mode type "show xlate"

HTH>

Agreed. My question is, My call server IP is 10.81.71.15 & I have opned 10.40.71.0,10.80.71.0 & 10.81.71.0. So If Vendor will hit 172.19.194.15, how it will reach 10.81.71.15? It can also hit 10.40.71.15 & 10.80.71.15..

This is the only confusion for me? What you suggest?

As I said the ASA has a NAT translation table - source and IP address in the NAT table are logged and tracked.

The ASA has a statefull firewall connection table - on ALL incoming/outgoing connections thru the decvice.  The ASA will track all connections and make sure the traffic reaches the correct host.

The problem is, Vendor will initiate the connection for our Call server. We have allowed three subnet in a single ACL, so if Vendor will hit our call server, on which internal IP it will routed?

If you want anyone on the outside to connect specifically to your call server - you either create a specific PAT translation based on desintation port (the specific port or ports your call server is listening one) or you create a specific 1:1 nat for that internal server.

I would create a pool of addreses for all other hosts, and a specific static translation for the call server.

Got.

If the vendor hits 172.19.194.15, which one of the subnets does it translate to by default, if PAT isn't configured?

Which ever internal server initiated the connection to the vendor.

If no connection exists, the connection will not pass thru.

BASIC NAT - if no outbound connection has been made, no return/initiated traffic will be permited.  The exception to this rule is when there is a static PAT or static NAT, no initial outbound connection is required.

HTH>

Andrew.

He's using a policy-based NAT though, both sides can trigger the NAT policy (doesn't have to initiate from inside, and don't need static NAT or PAT).

If he only had one entry:

name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

This basically says that anything coming from 10.40.71.0/24 going to 10.8.8.0/24 - rewrite the source to 172.19.194.0/24.  The same is true if the traffic sources from the outside - anything coming from10.8.8.0/24 going specifically to 172.19.194.0/24 would translate 1-to-1 to the whole 10.40.71.0/24 range (194.15 would become 71.15, 194.101 would become 71.101, etc.).  We used to do this all the time without any problems.

The confusion comes from when adding additional entries into an existing NAT rule - what happens if there isn't a static entry configured?

name 172.19.194.0 AH_IRV_NAT

access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0

static (inside,outside) AH_IRV_NAT  access-list inside_IRV

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco