Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
6
Replies

Cisco ASA 8.3+ NAT Based on Internet Source IPs

Go to solution
shanemolloy
Level 1
Level 1

‎02-03-2014 05:32 AM - edited ‎03-11-2019 08:39 PM

Hi,

I don't think this is possible but want a second opinion on it.

The scenario is two Internal LAN/Inside servers with a private IP each.

One Public IP on the Outside Interface.

The customer wants to use one URL that resolves to the Public IP on 443 and then will NAT down to each Internal LAN server based on the source Public IPs of the users on the Internet.

One NAT statement would define a list of Internet public IPs and the second NAT statement would be for all other IPs.

The reason for this is one Citrix Virtualserver has single authentication and the other has dual authentication.

The workaround for this would use seperate ports on the second server which is what I see as the main alternative.

Thanks for your help.

Shane

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2014 05:41 AM

Hi,

I think I have configured this once or twice when asked here on the CSC. The connection tests worked then atleast when I tested on a live network through Internet with 2 different source IP addresses.

Even though the NAT configuration will overlap slightly and I think the ASA might even warn about it on the CLI it still seemed to work. I am not sure if there is any long term problems with such setup.

The configuration might look like this

object network SERVER-1

host 10.10.10.1

object network SERVER-2

host 10.10.10.2

object service HTTPS

service tcp source eq 443

object-group network SERVER-1-SOURCE

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.255.0

object-group network SERVER-2-SOURCE

network-object 0.0.0.0 128.0.0.0

network-object 128.0.0.0 128.0.0.0

nat (inside,outside) source static SERVER-1 interface destination static SERVER-1-SOURCE SERVER-1-SOURCE service HTTPS HTTPS

nat (inside,outside) source static SERVER-2 interface destination static SERVER-2-SOURCE SERVER-2-SOURCE service HTTPS HTTPS

You might wonder about the second "object-group" used. Its supposed to catch all the possible IPv4 source addresses. In the past I have had problem for this to work if I simply used 0.0.0.0/0 and so split it in two and then it seemed to match the traffic correctly.

Hope this helps

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎02-03-2014 05:40 AM

This is not possible using the ASA.  You would either need to have a loadbalancer type device between the ASA and the servers, or as you mentioned use different ports.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2014 05:41 AM

Hi,

I think I have configured this once or twice when asked here on the CSC. The connection tests worked then atleast when I tested on a live network through Internet with 2 different source IP addresses.

Even though the NAT configuration will overlap slightly and I think the ASA might even warn about it on the CLI it still seemed to work. I am not sure if there is any long term problems with such setup.

The configuration might look like this

object network SERVER-1

host 10.10.10.1

object network SERVER-2

host 10.10.10.2

object service HTTPS

service tcp source eq 443

object-group network SERVER-1-SOURCE

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.255.0

object-group network SERVER-2-SOURCE

network-object 0.0.0.0 128.0.0.0

network-object 128.0.0.0 128.0.0.0

nat (inside,outside) source static SERVER-1 interface destination static SERVER-1-SOURCE SERVER-1-SOURCE service HTTPS HTTPS

nat (inside,outside) source static SERVER-2 interface destination static SERVER-2-SOURCE SERVER-2-SOURCE service HTTPS HTTPS

You might wonder about the second "object-group" used. Its supposed to catch all the possible IPv4 source addresses. In the past I have had problem for this to work if I simply used 0.0.0.0/0 and so split it in two and then it seemed to match the traffic correctly.

Hope this helps

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎02-03-2014 05:46 AM

Some example outputs from "packet-tracer" with the above configuration

SERVER-1

ASA(config)# packet-tracer input WAN tcp 2.2.2.2 12345 443

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER-1 interface destination static SERVER-1-SOURCE SERVER-1-SOURCE service HTTPS HTTPS

Additional Information:

NAT divert to egress interface LAN

Untranslate /443 to 10.10.10.1/443

SERVER-2

ASA(config)# packet-tracer input WAN tcp 8.8.8.8 12345 my public ip> 443

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER-2 interface destination static SERVER-2-SOURCE SERVER-2-SOURCE service HTTPS HTTPS

Additional Information:

NAT divert to egress interface LAN

Untranslate /443 to 10.10.10.2/443

But as I said I am not sure how well the ASA would handle this. They arent identical configurations but the ASA does warn about the overlap. Naturally getting the warning messages doesnt always mean it wont work properly. This happens for example when you have a Static NAT and Static Policy NAT for a host towards the same interface.

Hope this helps

- Jouni

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-03-2014 05:47 AM

interesting configuration there Jouni

Though I might add, try it at your own risk

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Marius Gunnerud

‎02-03-2014 05:51 AM

Hi Marius,

The good thing here at CSC is that I do get to try NAT configurations that would never have though about myself

Just would need to find the time/motivation to do a bit of an update to my NAT document here on CSC. So many special NAT configurations so far.

But as I said and as you mentioned, I am not sure if this is a very reliable configuration to use. I did test it before and it worked but its a totally different matter how it works in long term and actual use by the users.

- Jouni

0 Helpful

Go to solution
shanemolloy
Level 1
Level 1
In response to Jouni Forss

‎02-03-2014 06:23 AM

Thanks for the replies (and the config Jouni). I'll do some testing myself with it and hopefully it'll do the job. If not there's always the workaround

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card