hide NAT & static NAT on ASA 8.3

Unanswered Question
Jun 14th, 2014
User Badges:

We have ASA 8.3 with multi context running without any NAT statements , however Now we have requirement for enabling NAT for one of the new subnet  both  Source as well as destiantion NAT, If we enable NAT for that subnet & IP address will that effect  other subnets.

we need to souce NAT (Interface) for subnet 192.168.22.0 255.255.255.0
and static NAT for 10.20.10.20

If we enable above NAT will the effect other Subnets means this NAT configuration will make any effect on other subnets.

interface GigabitEthernet3/3
 nameif test1

 security-level 100
 ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11

interface GigabitEthernet3/2

 nameif test2

security-level 90
 ip address 192.168.10.10.255.255.255.0 standby 192.168.10.11


hostname(config)# object network Server host

hostname(config-network-object)# host 10.20.10.20

hostname(config-network-object)# nat (test1,test2) static 192.168.10.20


hostname(config)# object network MF-NET
hostname(config-network-object)# subnet 192.168.22.0 255.255.255.0
hostname(config-network-object)# nat (test2,test1) dynamic interface

route

10.0.0.0 255.0.0.0   ---> 10.10.10.100

 

192.168.22.0 255.255.255.0  -->192.168.10.100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Sat, 06/14/2014 - 11:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

If you're changing the policy for a set of networks, I'm not sure why you wouldn't want to make sure all traffic moves over to it; but...

Active connections that would otherwise hit the new NAT rules will remain active until they either timeout or are terminated normally (i.e TCP FIN tears down the connection).

New connections will of course hit the NAT rules and the addresses will be translated accordingly.

Normally when we change NAT configuration, we do a "clear xlate" and "clear conn" to make sure all traffic - both previously existing and new - uses the new rules.

nkarthikeyan Sat, 06/21/2014 - 01:49
User Badges:
  • Gold, 750 points or more

Hi,

Doing a NAT will not affect other subnets.... but you need to understand your requirement. Why you need to do NAT and for what purpose.... in your statement

host 10.20.10.20 which belongs to the LAn of test2 will get translated to 192.168.10.20 when it goes from test2 to test1.

the source subnet 192.168.22.0 on test2 interface will get pated to test1 interface when it hits the FW from test2 to test1....

If you describe your exact requirement we will help you better on this....

 

HTH

 

Regards

Karthik

 

sindbandgi Mon, 06/23/2014 - 01:51
User Badges:

We have one Ip address (server) in one of the location which is servral hops behiend interface test1 and can be reachable only from this firewalls through interface test1

I wanted to Static NAT the servers IP becuase we canot advitise the server network in network where users are.hecne I wanted to Static NAT the server IP address to one of the free IP address of interface range.


The users subnet which is serveral hops behined the interface test2 needs to access the above server the user subnet route  is not available at Server end hence I wanted to hide NAT to the firewall interface IP address.
we don't have free IP address in the test1 interface range hence I wanted to hide NAT the with user subnet.

My question is if do this configuration will that effect the other subnet traffic , will they fail due to this NAT .

please guide me.

nkarthikeyan Mon, 06/23/2014 - 04:36
User Badges:
  • Gold, 750 points or more

Hi Sind,

 

So you want o static NAT the server say 10.20.10.20 to (10.10.10.x IP) and You want to do hide NAT for user LAN 192.168.22.0 to interface (192.168.10.10).... is this what you are looking for??? if so then

 

object network server1

host 10.20.10.20

nat (test2, test1) static 10.10.10.10

object network usersLAN

network 192.168.22.0 255.255.255.0

nat (test1,test2) dynamic interface

 

Also you should have this permitted in ACL of the respective interfaces as well.

 

or you want to static NAt of 10.20.10.20 with 192.168.x.x IP for accessing it from test 2 end users LAN??

object network server1

host 10.20.10.20

nat (test1,test2) static 192.168.x.x

object network usersLAN

network 192.168.22.0 255.255.255.0

nat (test1,test2) dynamic interface

 

Also you should have this permitted in ACL of the respective interfaces as well.

 

For both the scenarios you should have the proper routes pointed to the firewall.

 

 

HTH

 

Regards

Karthik

sindbandgi Mon, 06/23/2014 - 04:21
User Badges:

Thanks ,

I wanted to do the second senario , Just I wanted to know If I enable the hide NAT for this one of the subnet then , traffic for other subnets fails due to NAT ?

 

 

nkarthikeyan Mon, 06/23/2014 - 04:31
User Badges:
  • Gold, 750 points or more

Hi Sind,

Here you are making changes only to the specific source subnet or the server. You NAT/PAT statement also say between the interface names not meant for all the traffic that passes through it. All i suggest is you can try from single source before you do for the entire subnet... say 192.168.22.10 and test it.

 

Note: You can give a 192.168.x.x subnet which is getting used for NAT for the servers should be routed to the FW properly and you need to have ACL's allowing those requirements as well for both the interfaces.

 

object network server1

host 10.20.10.20

nat (test1,test2) static 192.168.x.x

object network usersLAN

network 192.168.22.0 255.255.255.0

nat (test1,test2) dynamic interface

 

HTH

 

Regards

Karthik

Actions

This Discussion