Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
0
Helpful
2
Replies

Cisco ASA NAT Problem

Stuart Stevenson
Level 1
Level 1

‎08-12-2014 09:36 AM - edited ‎03-11-2019 09:37 PM

Hi all,

In my scenario I have a remote server communicating with a private local server open to the world via static NAT.

Remote server: 1.1.1.1
ASA Outside: 2.2.2.2
ASA Inside: 192.168.1.254
Private Server: 192.168.1.100

I have configured static NAT to allow outside connections in to the private server. The private server is a linux host with a default gateway pointing to another device in the LAN on IP address 192.168.1.1.

So as to not add static routes on the linux host pointing towards the ASA for each destination the Private server will be replying to, I am looking to change the Remote servers IP address using NAT during the initial connection.

This would mean the packet has the following details before NAT:

Source IP: 1.1.1.1
Destination IP: 2.2.2.2

After NAT, the packets should have the following details:

Source IP: 192.168.1.254
Destination IP: 192.168.1.100

Rather than:

Source IP: 1.1.1.1
Destination IP: 192.168.1.100

Is this solution possbile on a Cisco ASA?

Many thanks.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎08-12-2014 10:45 PM

Hi,

 

It should be possible. At the moment I am wondering what your ASA software level is though? This is a little simpler to handle in the new ASA softwares (8.3 and above) and the older ones (8.2 and below)

 

In the new software you would use the following configurations. In your case though I would probably use some free IP address from the subnet 192.168.1.0/24 for this NAT rather than the ASA interface.

 

object network SOURCE-REAL
 host 192.168.1.100

 

object network SOURCE-MAPPED
 host 2.2.2.2

 

object network DESTINATION-REAL
 host 1.1.1.1

 

object network DESTINATION-MAPPED
 host 192.168.1.253

 

nat (inside,outside) source static SOURCE-REAL SOURCE-MAPPED destination static DESTINATION-MAPPED DESTINATION-REAL

 

This "nat" configuration would do translation to both the source and destination IP address. Looking at the above NAT configuration we would see that traffic coming from DESTINATION-REAL towards SOURCE-MAPPED would have the effect that the SOURCE-MAPPED would get untranslated to SOURCE-REAL and DESTINATION-REAL would get translated to DESTINATION-MAPPED.

 

Naturally me using the terms SOURCE and DESTINATION in the "nat" configurations might create some confusion depending from which "direction" you are actually looking the situation from. You should naturally use different "object" names to make the configuration easier to read for you. That is if you are using the new software?

 

Hope this helps :)

 

- Jouni

0 Helpful

Stuart Stevenson
Level 1
Level 1
In response to Jouni Forss

‎08-13-2014 01:05 AM

Hi Jouni,

Thanks for that.

We are currently using ASA 8.2.

I know we're talking about 8.3 here; however would this solution not require every possible destination to be added to the DESTINATION-REAL object? This wouldn't be a problem for us as we only have a small amount of possible DESTINATION-REALs (remote servers only accessible over site-to-site VPN).

I understand the best solution would be to simply change the default gateway on the internal server, just curious if this would be possible in an 8.2 environment without any changes to hosts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card