Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3, Nating in both directions.

Hi All,

I am trying to configure an ASA ver 8.3 so that I have incoming traffic to one of our public addresses nat'd to an internal webserver and then the webserver nat back out, so a nice easy two way conversation using static NAT.

However its not working. I have put wireshark on the internal webserver to check that traffic is coming in from the internal address of the ASA and that was fine, however the output of wireshark indicates that the traffic is coming from the external source website rather than the internal LAN address of the ASA so I am assuming that our webserver when trying to access the external address is failing on the routing. We do not have a default route on our core switches pointing everything to the outside world and previous we have NAT'd using a Linux box which didnt have a problem.

What am I doing wrong to prevent the internal address of our ASA being propergated through to the webserver. Unfortunately I cannt paste any of the running config as this is a live system and when I do the changes and they fail someone else has the turn the old Linux box back on.

Any help apreciated.

C.

  • Firewalling
2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

ASA 8.3, Nating in both directions.

Hello,

It is kind of hard without the configuration but the NAT should look like:

nat (outside,inisde) source dynamic any interface destination static external_IP internal_IP

Not sure if you use the ports as well.

You can run a packet tracer to confirm it is using the correct NAT rule:

packet in outside tcp 8.8.8.8 1025 external_IP 80

Regards,

Felipe.

Remember to rate useful posts.

Super Bronze

ASA 8.3, Nating in both directions.

Hi,

So you are trying to do Dynamic PAT for all incoming traffic towards one of your Servers which has a Static NAT to a public IP address?

Basically the format of the configuration would be

object network PUBLIC

host

object network LOCAL

host

nat (outside,inside) source dynamic any interface destination static PUBLIC LOCAL

With this configuration the traffic destined to "PUBLIC" should match this NAT rule and untranslate the destination to "LOCAL" while at the same time translating the source to "interface" (inside).

Naturally where ever the server is located in the LAN Network it must have route for the connected network on the ASAs "inside" interface which usually already exists without any additions

You should be able to simulate a packet coming for a connection that is supposed to match this NAT rule by using the "packet-tracer" command

For example

packet-tracer input outside tcp 1.1.1.1 12345

- Jouni

4 REPLIES
Bronze

ASA 8.3, Nating in both directions.

Hello,

It is kind of hard without the configuration but the NAT should look like:

nat (outside,inisde) source dynamic any interface destination static external_IP internal_IP

Not sure if you use the ports as well.

You can run a packet tracer to confirm it is using the correct NAT rule:

packet in outside tcp 8.8.8.8 1025 external_IP 80

Regards,

Felipe.

Remember to rate useful posts.

New Member

ASA 8.3, Nating in both directions.

Hi Felipe,

ok lets say my internal webserver is x.x.x.x and I want the external address of y.y.y.y

So config would be something like

      object network MyWebServer

        host x.x.x.x

        nat (outside,inside) source dynamic any interface destination static y.y.y.y x.x.x.x (or event he host name instead of x.x.x.x)

Super Bronze

ASA 8.3, Nating in both directions.

Hi,

So you are trying to do Dynamic PAT for all incoming traffic towards one of your Servers which has a Static NAT to a public IP address?

Basically the format of the configuration would be

object network PUBLIC

host

object network LOCAL

host

nat (outside,inside) source dynamic any interface destination static PUBLIC LOCAL

With this configuration the traffic destined to "PUBLIC" should match this NAT rule and untranslate the destination to "LOCAL" while at the same time translating the source to "interface" (inside).

Naturally where ever the server is located in the LAN Network it must have route for the connected network on the ASAs "inside" interface which usually already exists without any additions

You should be able to simulate a packet coming for a connection that is supposed to match this NAT rule by using the "packet-tracer" command

For example

packet-tracer input outside tcp 1.1.1.1 12345

- Jouni

New Member

ASA 8.3, Nating in both directions.

Thank you very much, that is working good, I added the service too.

304
Views
0
Helpful
4
Replies
This widget could not be displayed.