Policy NAT / Conditional NAT

Unanswered Question
Aug 17th, 2010
User Badges:

Hi Guys,

            I need your help in getting a resolution to the Natting problem mentioned below.


            I have a 10.x.x.x network in place(site A). Another partner who also houses a 10.x.x.x subnet(site B) needs to access a particular server within Site A.


1. Site B has a group of 6 servers which need to communicate with the server in Site A.


2. The 6 servers at site B would be statically natted and the requests from Site B -> Site A will be unidirectional in nature. The public ip at Site A would also be Natted to permit these 6 ip's.


3. The server housed in Site A caters to requests both from Site B as well as from other sites via the same public ip.


4. A simple straightforward static nat causes every request coming to the public ip to get natted.


     static (inside,outside) public_ip Server_ip netmask 255.255.255.255


5. To solve this a policy / conditional NAT has been configured as follows...


NOTE: PUBLIC_IP = public ip pointing to the Site A server; SITE_B_CLUSTER=6 servers at Site B



     access-list outside-incoming extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

     access-list conditional-nat extended permit tcp object-group SITE_B-CLUSTER host PUBLIC_IP object-group TCP-PORTS

    static (inside,outside) PUBLIC_IP access-list conditional-nat


6. Now when i am configuring this i am encountering the following errors...

      • Protocol mismatch between the static and access-list - Solved this by making my conditional-nat acl into ip based.
      • access-list used in static has different local addresses



    I am not able to solve the 2nd error. Could someone please help?

    I would also like to know what are my alternatives if i have to maintain the conditonal-nat access-list at a tcp based ACL?


I would also like some material which i could read on policy Nat & Nat Basics.




                     Thanking You,


Regards,

Uzair Syed Naveed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
praprama Tue, 08/17/2010 - 07:08
User Badges:
  • Cisco Employee,

Hi,


Please refer to the below document for information about configuring Static policy NAT:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1074755


For information about Policy NAT in general (dynamic and static), refer to the below page:


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419


The error message you are seeing is because the way you are configuring Static policy NAT is incorrect. The ACL "outside-inside" is alright but the access list being used for the NAT, that is, "conditional-nat" is configured the reverse of the way it should be.


Basically, you will need an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). Once you have such an ACL ready, create the static with this ACL and the PUBLIC_IP as the translated IP.


I hope this information helps.


All the best!!


Thanks and Regards,

Prapanch

uzair syed naveed Tue, 08/17/2010 - 09:42
User Badges:

Hello Prapanch,

                        Thank you for your response. This clarifies things quite a bit. i do have a doubt here...


                          If i have an ACL specifying IP traffic from the SIte A server's real IP (in the 10.x.x.x) range destined to the Site B server's IP addresses (SITE_B_CLUSTER). then how would that help, and why would it be required logically?


                          I mean, the requests are only unidirectional from site b -> site A and the reason we are applying the acl  is to implement the condition that, only specific requests from the SITE_B_CLUSTER get translated to SITE_A_public ip.



ohh and before i forget...


THANK YOU for all your help.

you have been a big help. Ill be implementing this tomorrow morning. Ill get back in case i do have some problem here.



Regards,

Uzair Syed Naveed

praprama Tue, 08/17/2010 - 17:59
User Badges:
  • Cisco Employee,

Hi Uzair,



Well, frankly speaking, the fact is that this is the way we are supposed ot configure Policy NAT on the ASA. This is how it works practically:


static (inside,outside) PUBLIC_IP access-list conditional-nat


access-list condition-nat permit ip host SITEA-SERVER object-group SITEB_SERVERS


Now when the ASA sees a request coming in on the "outside" interface for the PUBLIC_IP and it is sourced from the one of the IP addresses in the "object-group SITEB_SERVERS", then ASA will match this against this Static policy NAT that we have configured and will untranslate the PUBLIC_IP to the real ip of the server SITEA_SERVER and route the traffic out the "inside" interface.


Now if the ASA receives a request on the "outside" interface for the PUBLIC_IP but the packet's source IP is not in the object-group SITEB_SERVERS, then the ASA will not match this packet against this STatic NAT and will try to match it against the rest of the config that we have on the ASA.


Hope this makes things clear. Let me know if there are any gray areas


Regards,
Prapanch

Jitendriya Athavale Tue, 08/17/2010 - 07:46
User Badges:
  • Cisco Employee,

uzair,


firstly let me start with the erro message


the second error message you are concerned about, you are getting this because what you are telling the firewall that the local ip address are on your inside and they all need to statically translated to one public ip. as you can see this does not make much sense


secondly as prapanch pointed out you have the static wrongly configured as this gives the firewall a feeling that the local hots are on your inside



lastly, i do not understand why you are concerned about using

static (inside,outside) public_ip Server_ip netmask 255.255.255.255



please note this is destination nat, which mean the destination ip is translated. this does not mean that the source ip of all the hosts from internet is translated



i hope this clears your doubt

Actions

This Discussion

Related Content