static natting using virtual ip range on inside network

Answered Question
Aug 27th, 2010

ASA 5520

ver 8.2.2

I read that can use a virtual ip range to do static nats between inside and outside network

Can someone assist with a short config on how this is done?

inside:  192.168.195.201 /29

outside: 10.25.41.1 /27

virtual ip range:  192.168.191.160 /27

I have this problem too.
0 votes
Correct Answer by andhingr about 6 years 3 months ago

Please add the following to your network in additon to changes (except the routing statement) I suggested in my previous response

nat (outside) 1 10.25.41.0 255.255.255.224 outside

global (inside) 1 interface

with the above configuration when 10.25.41 network is trying to access your inside network ASA will translate the source address to inside interface of ASA when sending the traffic to inside network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andhingr Fri, 08/27/2010 - 11:24

You can use regular static nat to accomplish this

static(inside,outside) netmask

However since your outside interface is in different ip range and outbound packets will use source address from the 192.168.191.x so your upstream should have a route pointing to ASA outside interface as the next hop for return packets.

Hope this help!

- AD

tsrader Fri, 08/27/2010 - 12:03

Is this a correct config?  Thanks for your reply.

outside host (10.25.41.4) needs to access inside host (192.168.195.204)

inside:  192.168.195.201 255.255.255.248

outside:  10.25.41.1 255.255.255.224

virtual ip range:  192.168.191.160 255.255.255.224

static (inside,outside) 192.168.191.164 192.168.195.204 netmask 255.255.255.255

access-list outside_in permit tcp host 192.168.195.204 10.25.41.4 netmask 255.255.255.255

static router on internal L3 router:

ip route 192.168.191.160 255.255.255.224 192.168.195.201

andhingr Fri, 08/27/2010 - 12:14

Couple of corrections

change

access-list outside_in permit tcp host 192.168.195.204 10.25.41.4  netmask 255.255.255.255

to

access-list outside_in permit tcp host 10.25.41.4 host 192.168.195.204

static router on internal L3 router:

ip route 192.168.191.160  255.255.255.224 192.168.195.201

to

ip route 192.168.191.160  255.255.255.224 10.25.41.1

tsrader Fri, 08/27/2010 - 16:18

Thanks Anil but unfortunately it didnt work.  I've provide clarification and partial config.

Can anyone tell me what I'm doing wrong and provide configuration guidance???

---------------------------------------------------------------

Inside network consists of multiple networks:

192.168.191.0
192.168.192.0
192.168.193.0
192.168.194.0
etc
etc
etc

- Host on outside network (10.25.41.10) wants to access host on inside network (192.168.194.10) via RDP (tcp/3389)
- host on inside network (192.168.193.25) wants to access host on outside network (10.25.41.20) via vnc (tcp/5900)


As IP range created for inside interface is VERY small (6 hosts), I'm forced to use a routable ip address range from inside network to permit more than
6 hosts.  192.168.191.160 /27 will be used to create static nats

fw inside:  192.168.195.220 /29
fw outside:  10.25.41.1 /27
virtual range:  192.168.191.161 - .190 /27


I'm confused on how to create the static nat using the virtual ip range.


-----------------------------

ASA Version 8.2(2)
!
interface GigabitEthernet0/0.515
nameif outside
security-level 0
ip address 10.25.41.1 255.255.255.224
!
interface GigabitEthernet0/1.533
nameif inside
security-level 100
ip address 192.168.195.220 255.255.255.248
!

--------------  access-list to permit outside to inside host access  --------------

access-list outside_access_in extended permit tcp host 10.25.41.4 host 192.168.194.10 eq 3389
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

--------------  create static nat --------------
static (inside,outside) 10.25.41.4 192.168.191.164 netmask 255.255.255.255
--------------------------------------------------------------------------
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

route inside 192.168.0.0 255.255.0.0 192.168.195.217 1        <<<<   directly connected to L3 switch running HSRP

Note that ASA is connected to L3 switch and it has the following static route:

ip route 192.168.191.160 255.255.255.224 192.168.195.220

andhingr Fri, 08/27/2010 - 16:49

I'm not sure If I understood your problem description correctly. Now after getting your config

I understand your topology is

outside (10.25.41 network)--------------10.25.41.1--ASA--inside (192.168.195.220)--------L3switch range (192.168.191.0-192.168.194.0)

with the configure static as below

static  (inside,outside) 10.25.41.4 192.168.191.164 netmask  255.255.255.255

Are you trying to access 10.25.41.4 from outside host so when the packet reaches to ASA it will get translated to 192.168.191.164. If this is correct then you should change your outside access-list from

access-list outside_access_in extended permit tcp host 10.25.41.4 host  192.168.194.10 eq 3389

to

access-list outside_access_in extended permit tcp host 10.25.41.4 eq 3389

you should also change your static route on l3 switch

from

ip route 192.168.191.160 255.255.255.224 192.168.195.220

to

ip route 10.25.41.0 255.255.255.0 192.168.195.220

tsrader Fri, 08/27/2010 - 17:25

Thanks again Anil.

In our network configuration - the outside network is 10.25.41.x.   The inside network does NOT route ANY 10.x.x.x address whatsoever that is why I have the ip route statement on the L3 switch as it is:

In order for the inside network to send the 192.168.191.160 traffic back to the ASA, it is my thinking that the L3 switch just needs to send it to the next hops --- which is the inside interface of the firewall.  Am I correct?

In my case, the outside host (10.25.41.4) is trying to access 192.168.193.x host via RDP.

Thanks again for your help and I await your response.

Correct Answer
andhingr Fri, 08/27/2010 - 17:33

Please add the following to your network in additon to changes (except the routing statement) I suggested in my previous response

nat (outside) 1 10.25.41.0 255.255.255.224 outside

global (inside) 1 interface

with the above configuration when 10.25.41 network is trying to access your inside network ASA will translate the source address to inside interface of ASA when sending the traffic to inside network.

Actions

This Discussion