Single host with static NAT inbound, dynamic NAT outbound

dschraudt · ‎03-31-2010

I need to find out how to configure an ASA 5520 to accomodate an outbound xlate using the normal global pool, if it has an outside to inside static xlate defined. The outside to inside static translate uses a phantom global address and the inside hosts physical address to accomodate inbound traffic from a remote L2L VPN connection. This works fine. My problem is that when the host attempts sending internet bound traffic that is not traversing the VPN, it is using the static NAT. As the traffic egresses to the internet, the newly translated source address is the phantom, (10.x.x.x) address.

I am trying to determine how to force internet bound traffic from this host to use the normal NAT/Global configuration that is in place listed here:

global (outside) 1 12.11.11.11-12.11.11.111 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

Would appreciate any ideas

david...

Federico Coto Fajardo · ‎03-31-2010

Hi,

The problem here is the NAT order of operation on the ASA:

1. NAT 0

2. STATIC NAT/PAT

3. Policy NAT

4. Regular dynamic NAT

Check this link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

So, if you have a STATIC NAT defined for a local IP, then the STATIC rule will always take precedence over the regular dynamic NAT that you specified:

global (outside) 1 12.11.11.11-12.11.11.111 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

You said that you use the STATIC NAT for VPN? And you want the regular NAT for Internet access?

Is an option for you to change these NAT rules?

Federico.

dschraudt · ‎04-01-2010

Thanks for your response.

I don't necessarily need to use a dynamic xlate outbound so much as just come up with something that will allow the internal server to be able to access the internet.

The basic requirments of the vendor VPN connection is that they need to route traffic to us over the ipsec tunnel using a specific 10.x.x.x address whose subnet does not exist on the firewall. I am just statically translating this 10.x.x.x address to the correct inside address, which works fine for the vendor to access our internal server. The problem is that when the internal server sends outbound traffic to the internet instead of the vendor VPN tunnel, the source IP is translated to the non-routable 10.x.x.x address.

I looked at policy static nat, using an ACL to determine vendor vs. internet traffic, but there are two issues that I am unsure of. 1. Will these NATs allow outside to inside traffic based on the ACL applied to the interface, and 2. Since no "deny" statements are allowed in the ACL, I am doing two ACLs, one with a /32 match on the vendor VPN traffic and another ACL with a match on 0.0.0.0/0, hoping the vendor will take the more specific ACL match. I am putting the policy static nat commands in this order.

I have a time scheduled next week to try this config and see if it works.

david...

Federico Coto Fajardo · ‎04-01-2010

What about trying the following:

Assuming that the server is a web server listening on port 80, you can do (as you say) STATIC PAT.

static (in,out) tcp x.x.x.x 80 y.y.y.y 80

nat (inside) 1 y.y.y.y

global (outside) 1 z.z.z.z

In this way, the VPN can access the server using x.x.x.x only on port 80.

If the server wants to get out to the Internet it will be translated to the dynamic NAT/PAT since it does not match the STATIC statement.

Let me know.

Federico.