Static NAT through ASA

Answered Question
Apr 8th, 2010
User Badges:

I have configured a static NAT through my ASA, which for some

reason does not work - I believe the problem is with the NAT or

der rather than the rule itself but I would be most grateful if someone

could assist me in diagnosing the problem.


from command line the rule is ::-


static (UKSCMGMT,management) 10.20.20.20 192.168.1.2 netmask 255.255.255.255


my theory is that anything with a destination address of 10.20.20.20 would be seen as 192.168.1.2 on teh UKSCMGMT interface.


looking at ASDM the rule looks like this


Type          Source          Destination               interface          trans address

Static     192.168.1.2          blank                   management     10.20.20.20


there are some EXEMPT rules relating to 192.168.1.2 - but they are host to host and should not affect the static translation.

Correct Answer by Jennifer Halim about 7 years 1 month ago

Yes, absolutely correct. You can configure NAT exemption per network instead of per each host. If you have hosts which can be grouped into a subnet, configure it as network statements instead.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 04/08/2010 - 03:42
User Badges:
  • Cisco Employee,

Please share the following configuration:

sh run interface --> would like to see the security level

sh run static --> depending on the security level above, need to check the current static statement

sh run nat --> also need to check if the NAT exemption overlaps.

KeithN123 Thu, 04/08/2010 - 05:09
User Badges:

both interfaces have a security level of 100


the show run static command gives the following =


static (UKSCMGMT,management) LS-NAT-P-NAG02 ls-mpd-p-nag02 netmask 255.255.255.255



I have now removed all the Exempt statements and ticked the "Enable traffic through the firewall without translation" box


attached is a packet trace of the rule



Thanks you for taking the time to look at this problem.

Jennifer Halim Thu, 04/08/2010 - 05:12
User Badges:
  • Cisco Employee,

If they are the same security level, you would need to add the following:

same-security-traffic permit inter-interface

KeithN123 Thu, 04/08/2010 - 05:34
User Badges:

I have already apllied this command - but I still see the same error ?



thanks

Jennifer Halim Thu, 04/08/2010 - 22:33
User Badges:
  • Cisco Employee,

Is your goal to perform NAT for communication between the 2 networks that has the same security level? Also, if you don't mind posting your config that would help. Thanks.

KeithN123 Mon, 04/19/2010 - 02:35
User Badges:

Hi - I am unable to post the configuration - but would you be able to clarify the use of the checkbox

"Enable traffice throught the firewall without address translation"   - 

If I check this box.  Does that mean I no longer need to specifiy any network exemption

, and only configure the real NATted addresses?   Can I safely configure "no nat-control" and remove all EXEMPT configuration ?


many thanks


Keith

Jennifer Halim Mon, 04/19/2010 - 03:13
User Badges:
  • Cisco Employee,

The "no nat-control" will only work if you have no NAT statement at all configured (including the dynamic NAT). As soon as you have 1 NAT statement, the "no nat-control" will not take effect anymore, and you will still need to configure NAT exemption.

KeithN123 Mon, 04/19/2010 - 04:40
User Badges:

many thanks fior the reply.


So that means that even though I have only

a few NAT statements (probably 15 or 20) I will have to configure every single

EXEMPT host or network that exists - of which there are hundreds ?


I have already configured the firewall this way but I was looking for way to tidy up the enormous amount of exempt rules.



regards


Keith

Correct Answer
Jennifer Halim Mon, 04/19/2010 - 04:48
User Badges:
  • Cisco Employee,

Yes, absolutely correct. You can configure NAT exemption per network instead of per each host. If you have hosts which can be grouped into a subnet, configure it as network statements instead.

KeithN123 Mon, 04/19/2010 - 05:32
User Badges:

Many thanks for your patience and assistance with this problem.

  I have already configured network objects where possible but unfortunately some are hosts.




regards


Keith

Actions

This Discussion