Static NAT through ASA

Answered Question
Apr 8th, 2010

I have configured a static NAT through my ASA, which for some

reason does not work - I believe the problem is with the NAT or

der rather than the rule itself but I would be most grateful if someone

could assist me in diagnosing the problem.

from command line the rule is ::-

static (UKSCMGMT,management) 10.20.20.20 192.168.1.2 netmask 255.255.255.255

my theory is that anything with a destination address of 10.20.20.20 would be seen as 192.168.1.2 on teh UKSCMGMT interface.

looking at ASDM the rule looks like this

Type          Source          Destination               interface          trans address

Static     192.168.1.2          blank                   management     10.20.20.20

there are some EXEMPT rules relating to 192.168.1.2 - but they are host to host and should not affect the static translation.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 9 months ago

Yes, absolutely correct. You can configure NAT exemption per network instead of per each host. If you have hosts which can be grouped into a subnet, configure it as network statements instead.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 04/08/2010 - 03:42

Please share the following configuration:

sh run interface --> would like to see the security level

sh run static --> depending on the security level above, need to check the current static statement

sh run nat --> also need to check if the NAT exemption overlaps.

KeithN123 Thu, 04/08/2010 - 05:09

both interfaces have a security level of 100

the show run static command gives the following =

static (UKSCMGMT,management) LS-NAT-P-NAG02 ls-mpd-p-nag02 netmask 255.255.255.255

I have now removed all the Exempt statements and ticked the "Enable traffic through the firewall without translation" box

attached is a packet trace of the rule

Thanks you for taking the time to look at this problem.

Jennifer Halim Thu, 04/08/2010 - 05:12

If they are the same security level, you would need to add the following:

same-security-traffic permit inter-interface

KeithN123 Thu, 04/08/2010 - 05:34

I have already apllied this command - but I still see the same error ?

thanks

Jennifer Halim Thu, 04/08/2010 - 22:33

Is your goal to perform NAT for communication between the 2 networks that has the same security level? Also, if you don't mind posting your config that would help. Thanks.

KeithN123 Mon, 04/19/2010 - 02:35

Hi - I am unable to post the configuration - but would you be able to clarify the use of the checkbox

"Enable traffice throught the firewall without address translation"   - 

If I check this box.  Does that mean I no longer need to specifiy any network exemption

, and only configure the real NATted addresses?   Can I safely configure "no nat-control" and remove all EXEMPT configuration ?

many thanks

Keith

Jennifer Halim Mon, 04/19/2010 - 03:13

The "no nat-control" will only work if you have no NAT statement at all configured (including the dynamic NAT). As soon as you have 1 NAT statement, the "no nat-control" will not take effect anymore, and you will still need to configure NAT exemption.

KeithN123 Mon, 04/19/2010 - 04:40

many thanks fior the reply.

So that means that even though I have only

a few NAT statements (probably 15 or 20) I will have to configure every single

EXEMPT host or network that exists - of which there are hundreds ?

I have already configured the firewall this way but I was looking for way to tidy up the enormous amount of exempt rules.

regards

Keith

Correct Answer
Jennifer Halim Mon, 04/19/2010 - 04:48

Yes, absolutely correct. You can configure NAT exemption per network instead of per each host. If you have hosts which can be grouped into a subnet, configure it as network statements instead.

KeithN123 Mon, 04/19/2010 - 05:32

Many thanks for your patience and assistance with this problem.

  I have already configured network objects where possible but unfortunately some are hosts.

regards

Keith

Actions

This Discussion