06-14-2014 08:51 AM - edited 03-11-2019 09:19 PM
We have ASA 8.3 with multi context running without any NAT statements , however Now we have requirement for enabling NAT for one of the new subnet both Source as well as destiantion NAT, If we enable NAT for that subnet & IP address will that effect other subnets.
we need to souce NAT (Interface) for subnet 192.168.22.0 255.255.255.0
and static NAT for 10.20.10.20
If we enable above NAT will the effect other Subnets means this NAT configuration will make any effect on other subnets.
interface GigabitEthernet3/3
nameif test1
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
interface GigabitEthernet3/2
nameif test2
security-level 90
ip address 192.168.10.10.255.255.255.0 standby 192.168.10.11
hostname(config)# object network Server host
hostname(config-network-object)# host 10.20.10.20
hostname(config-network-object)# nat (test1,test2) static 192.168.10.20
hostname(config)# object network MF-NET
hostname(config-network-object)# subnet 192.168.22.0 255.255.255.0
hostname(config-network-object)# nat (test2,test1) dynamic interface
route
10.0.0.0 255.0.0.0 ---> 10.10.10.100
192.168.22.0 255.255.255.0 -->192.168.10.100
06-14-2014 11:38 AM
If you're changing the policy for a set of networks, I'm not sure why you wouldn't want to make sure all traffic moves over to it; but...
Active connections that would otherwise hit the new NAT rules will remain active until they either timeout or are terminated normally (i.e TCP FIN tears down the connection).
New connections will of course hit the NAT rules and the addresses will be translated accordingly.
Normally when we change NAT configuration, we do a "clear xlate" and "clear conn" to make sure all traffic - both previously existing and new - uses the new rules.
06-21-2014 01:49 AM
Hi,
Doing a NAT will not affect other subnets.... but you need to understand your requirement. Why you need to do NAT and for what purpose.... in your statement
host 10.20.10.20 which belongs to the LAn of test2 will get translated to 192.168.10.20 when it goes from test2 to test1.
the source subnet 192.168.22.0 on test2 interface will get pated to test1 interface when it hits the FW from test2 to test1....
If you describe your exact requirement we will help you better on this....
HTH
Regards
Karthik
06-23-2014 01:51 AM
We have one Ip address (server) in one of the location which is servral hops behiend interface test1 and can be reachable only from this firewalls through interface test1
I wanted to Static NAT the servers IP becuase we canot advitise the server network in network where users are.hecne I wanted to Static NAT the server IP address to one of the free IP address of interface range.
The users subnet which is serveral hops behined the interface test2 needs to access the above server the user subnet route is not available at Server end hence I wanted to hide NAT to the firewall interface IP address.
we don't have free IP address in the test1 interface range hence I wanted to hide NAT the with user subnet.
My question is if do this configuration will that effect the other subnet traffic , will they fail due to this NAT .
please guide me.
06-23-2014 04:21 AM
Hi Sind,
So you want o static NAT the server say 10.20.10.20 to (10.10.10.x IP) and You want to do hide NAT for user LAN 192.168.22.0 to interface (192.168.10.10).... is this what you are looking for??? if so then
object network server1
host 10.20.10.20
nat (test2, test1) static 10.10.10.10
object network usersLAN
network 192.168.22.0 255.255.255.0
nat (test1,test2) dynamic interface
Also you should have this permitted in ACL of the respective interfaces as well.
or you want to static NAt of 10.20.10.20 with 192.168.x.x IP for accessing it from test 2 end users LAN??
object network server1
host 10.20.10.20
nat (test1,test2) static 192.168.x.x
object network usersLAN
network 192.168.22.0 255.255.255.0
nat (test1,test2) dynamic interface
Also you should have this permitted in ACL of the respective interfaces as well.
For both the scenarios you should have the proper routes pointed to the firewall.
HTH
Regards
Karthik
06-23-2014 04:21 AM
Thanks ,
I wanted to do the second senario , Just I wanted to know If I enable the hide NAT for this one of the subnet then , traffic for other subnets fails due to NAT ?
06-23-2014 04:31 AM
Hi Sind,
Here you are making changes only to the specific source subnet or the server. You NAT/PAT statement also say between the interface names not meant for all the traffic that passes through it. All i suggest is you can try from single source before you do for the entire subnet... say 192.168.22.10 and test it.
Note: You can give a 192.168.x.x subnet which is getting used for NAT for the servers should be routed to the FW properly and you need to have ACL's allowing those requirements as well for both the interfaces.
object network server1
host 10.20.10.20
nat (test1,test2) static 192.168.x.x
object network usersLAN
network 192.168.22.0 255.255.255.0
nat (test1,test2) dynamic interface
HTH
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: