I see Jouni you beat me to it!

I just made a ref to a documentation you wrote which has helped me in getting to understand different nat with ASA.

There you have it Raun! Jouni in e-flesh and e-blood!

Thank you to both of you!  I've never got my head wrapped around the new nat since it changed in 8.3.  I'm gong to study the link you gave me and the config makes sense, in some aspects.  I'll have to give it a shot and will let you know.  More then likely, I'll be back wtih questions

Teddy, I agree with you the outside subinterfaces and it is certainly unusual from my standpoint.  However, in reality, although they are 'outside' their still on my network.  I have a OUTSIDE switch that I can provide a trunk to for the ASA, and break out the vlans to the appropriate routers, guest and corporate, which i own.   So from that aspect, I don't see a big issue in doing it that way to conserve physical ports.  Although, i was going to set the security level teh same on all of them since they still can't talk to one another by default.  Do you see an issue with this?

Thanks,

Raun

Hi Raun,

Definitely not a problem with that!!! I mean with the version 8.3+ of the ASA a code, there's just way too much of flexibility to do nat with it!

Good enough Cisco had to wake up to the call.  I mean Juoni poured it out for you in a black int and white canvas for you! just copy his config and edit to your suiting.

Believe me I went thru same phase of getting my head around the nat in ver 8.3+ i felt it was difficult at first, but once it down well with me....i feel it's the best thing ever since slice bread!!!! mmmhmmmm....

Also don't forget to rate Jouni's and I reply if it does answer your question.

Thanks

Tedd ( in reality i gat ma glasses on hehe!)

NB

I never appreciated the idea of drawing out your problem, not untill recently I had to help troubleshoot and saw the importance of having drawing to explain problems. So If you can next time just put up a drawing no matter how it is! It helps to understand your problem easily and solution would be provided ASAP.

Hi,

The above configuration is just a really simple example of how to get traffic forwarded through different external interfaces of the ASA based on the source network. Even though you could do the same even if the source networks were behind a single LAN interface.

I would stress that the above configuration doesnt take into account at all possible VPN related NAT0 configurations, possible Static NAT configurations that you might need for servers or traffic between the LAN interfaces. All of those would require additional configurations.

So trying out something like this would be good if you can lab it or atleast plan the change before trying it and having a plan to revert back to the old if you are doing it in production environment.

This is something I have not added to my document that I wrote. I am not sure when I will add more information to the document. I do know that there is a lot of things that could be added there. Hopefully I get myself around to it at some point

To give a short summary what the above "nat" commands are supposed to do is the following:

• We first define the source and destination interface of the traffic. Where is the source network located and where do we want to forward it?
  • nat (LAN-1,ISP-CABLE)
• We define the source network(s) in object and PAT it to the external interface specified in the command
  • source dynamic LAN-1 interface
• We use an "object-group" that contains all the possible destination networks.
  • destination static ALL ALL
• When traffic from the defined source network from the defined source interface comes to the ASA towards any destination IP address, that destination IP address will get matched to the destination object-group "ALL" and therefore get forced out through the destination interface which we have used in the "nat" command.

Not necesarily the clearest explanation but feel free to ask more questions and I'll try to answer those.

- Jouni

Well, you guys obviously know your stuff so I went ahead and put it as the correct answer, i'll just have to implement in toy with it.   Originally, I saw this as step 1.  Since your quite good at this, I'll through the other catch at you now to think about it.

So all of these 'DMZs" are wireless networks.  On the other side is a wireless controller and the wireless controller has the option of 'proxying' the dhcp request for the client basically turn it into a unicast request.

Now that request needs to be able to get through say LAN-1 to INSIDE-1 for the DHCP server as well as DNS lookups, at 10.100.90.x. 

But that is the ONLY access they should have to that INSIDE-1.  Anything else is a big no no.

Optionally, I could tell the controller to let the clients on LAN-1 make their own request and setup dhcp relays on the ASA to INSIDE-1 if that would be easier...

I'm actually doing the unicast way through an old PIX 515E right now.

Hi,

So if there is traffic that needs to pass between local interface then the above configuration is not enough to achieve that as the current NAT configuration would forward ALL destination traffic to the ISP interface of choice.

This means we need to determine the LAN networks between which connections are required and between which interface this traffic is supposed to flow.

If I use my own previous example and for example say that I need that traffic can flow between LAN-1 and LAN-2 wihtout getting forwarded to the ISP interfaces then I would configure this

nat (LAN-1,LAN-2) 1 source static LAN-1 LAN-1 destination static LAN-2 LAN-2

Key things to notice in the above configuration

• We add the rule to the top of these Section 1 Manual NAT rules as we mentioned the line/order/priority number "1" in the command. So it will be first to be matched before the special "nat" configurations we have for the ISP traffic.
• This "nat" command is bidirectional. If LAN-1 initiates connection towards LAN-2 then this traffic will get matched to this rule. If LAN-2 initiates connection to LAN-1 then this traffic will get matched to this rule. Though if we didnt move this rule to the top in the previously mentioned way this rule would never be matched.
• As we use the same "object" for both the real and mapped source/destination it essentially means we are doing NAT0 / Static Identity NAT. This means the networks can communicate with their original IP addresses.

Naturally you will have to use the interface ACLs to control what traffic is allowed. Naturally you could only configure the same NAT above for only certain hosts between the networks but I guess thats up to you. I personally prefer to do traffic control purely in the ACL and not use NAT for it.

Hope this helps

- Jouni

Hi Raun!

Jouni is absolutely correct. Using ACL in my opinion gives you more dexterity in controlling your traffic.

For you ACL remember that going from Higher interface level to a Lower one no bueno to it(no problems)!  But from the Lower to the higher you need the ACL to go with it!

So you thinking about allowing your request from your DMZ to your LAN1, you need the ACL to match the traffic. I personally like creating my ACL in this order:

FROM                         TO                              SERVICE

SOURCE                     DESTINATION             SERVICE

DMZ                            LAN1                          udp/dhcp

Makes the flow easy to understand and implement.

Hope it helps.

Tedd

Hmm.. I don't seem to be selecting the appropriate route.  If i remove the other default route statements, it works fine.. add the others back and it doesn't.  So I built the config and started messing with teh 10.100.39.0 or VIP-VENDOR network

object network VIP-VENDOR
subnet 10.100.39.0 255.255.255.0

object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (Guest-1,Outside-Cable) source dynamic Guest-1 interface destination static ALL ALL

nat (Guest-2,Outside-Cable) source dynamic Guest-2 interface destination static ALL ALL

nat (Guest-3,Outside-Cable) source dynamic Guest-3 interface destination static ALL ALL

nat (Guest-4,Outside-Cable) source dynamic Guest-4 interface destination static ALL ALL

nat (Guest-5,Outside-Cable) source dynamic Guest-5 interface destination static ALL ALL

nat (VIP-DOC,Outside-t1) source dynamic VIP-DOC interface destination static ALL ALL

nat (VIP-VENDOR,Outside-Corp) source dynamic VIP-VENDOR interface destination static ALL ALL

access-group acl-vip-vendor in interface VIP-VENDOR

route Outside-Cable 0.0.0.0 0.0.0.0 10.100.255.254 1

route Outside-t1 0.0.0.0 0.0.0.0 10.100.254.254 253

route Outside-Corp 0.0.0.0 0.0.0.0 PUBLICIP 254

Here's the packet trace:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside-Cable

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-vip-vendor in interface VIP-VENDOR

access-list acl-vip-vendor extended permit ip any any

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 900, packet dispatched to next module

Result:

input-interface: VIP-VENDOR

input-status: up

input-line-status: up

output-interface: Outside-Cable

output-status: up

output-line-status: up

Action: allow

Hi,

If you are going to try some 8.4 code I would suggest trying 8.4(5) or 8.4(6). To my understanding 8.4(1) still did not follow the NAT configurations but actually the routing table.

Though I am not sure what the problem is with the 9.1 since I have tested this on that software version.

In your earlier post where you mentioned the configurations that didnt seem to match at all, what was the exact software level used? I might try to lab that up again myself as I am currently trying something out on an ASA. Could perhaps test this after I done with the previous test.

- Jouni

Okie, will try 8.4(6).  Not sure what you mean by 'configurations that didnt seem to match at all', but I started out on 9.1.4.

Sure, if you have time to lab it, I would greatly appreciate it.  If you want my config, let me know.

Hi,

I just meant the "nat" command that should all forward the traffic from the specified LAN networks to specific ISP link. Just wondered what software was used when if they werent work.

But as you mentioned its 9.1(4). Will see if I can try that out a bit later.

- Jouni