cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1793
Views
0
Helpful
25
Replies

Incoming NAT rule

heather.burke
Level 1
Level 1

I am trying to configure an incoming NAT rule.  As such, I want a routable address to be able to be translated to an internal one.

However, I’m unsure exactly how that is set up.  I’m assuming that you want it to be static, and therefore bidirectional.  How do you know if the initial setup is outside to inside or vice versa? (or does it matter if it is bi-directional?)  So far on my test network I don’t seem to be able to achieve doing this.    The test that I am using is making the non-routable 192.168.2.4 into a 10.64.204.97.   ( I am thinking that for this test if I were to correctly set it up, when I ping the address of 10.64.204.97, I would really be pinging 192.168.2.4, but so far no combination of the above seems to return a good ping.)

Do you have any advice on the best way to do this?  The documentation on it I have found so far has not been helpful to me.

1 Accepted Solution

Accepted Solutions

Hi Heather,

In 8.3, the commands will look like this instead:

object network obj-192.168.2.4

     host 192.168.2.4

     nat (inside,outside) static 10.64.204.97

access-list outside_access_in permit icmp any host 192.168.2.4
access-group outside_access_in in interface outside

To answer your question, yes this will work bidirectionally. When someone tries to ping 10.64.204.97, the ASA will translate the packet and forward it to 192.168.2.4. Likewise, if 192.168.2.4 goes out to the Internet, it will appear as if the traffic is coming from 10.64.204.97 after it passes through the ASA.

Hope that helps.

-Mike

View solution in original post

25 Replies 25

Hi,

What exactly do you want to do?

If you want an incoming NAT rule, most likey is a STATIC NAT (by the way is this an ASA or IOS device)?

Federico.

mirober2
Cisco Employee
Cisco Employee

Hi Heather,


What version of code is your firewall running? This will affect the commands you need to use. In addition to the static, you'll also need to setup your access rules.


If you post a copy of your configuration, we should be able to give you the commands you need.


Here is a really general example:


static (inside,outside) 10.64.204.97 192.168.2.4 netmask 255.255.255.255

access-list outside_access_in permit icmp any host 10.64.204.97

access-group outside_access_in in interface outside


Hope that helps.


-Mike

Hi Mike,

I believe that I'm running the latest version, 8.32.

So with the above statement, you are setting it up bi-dierctionally so that when the outside pings the external address, the ASA routes it to the internal address, right?

Hi Heather,

In 8.3, the commands will look like this instead:

object network obj-192.168.2.4

     host 192.168.2.4

     nat (inside,outside) static 10.64.204.97

access-list outside_access_in permit icmp any host 192.168.2.4
access-group outside_access_in in interface outside

To answer your question, yes this will work bidirectionally. When someone tries to ping 10.64.204.97, the ASA will translate the packet and forward it to 192.168.2.4. Likewise, if 192.168.2.4 goes out to the Internet, it will appear as if the traffic is coming from 10.64.204.97 after it passes through the ASA.

Hope that helps.

-Mike

HI Mike,

What is the benefit to doing network object nats vs just regular nats?

Also, I don't know if you are familar with ASDM, but where do the access_list commands show up on it?  I thought they would make changes to the access list area, but they don't.  My learning of this ASA has been a hybrid of CLI and ASDM, so I try to make sure I understand how it works on both fronts.

Thanks, btw, that worked great!

Hi Heather,

Glad to hear that worked for you. In 8.3, it's best to do as much as possible in the Auto/Object NAT section as the ASA will do a better job about ordering the configuration and choosing the correct statement to match the traffic. The Manual NAT section can be used when you need to do translations based on the destination or for NAT exemption.

In ASDM, the 'access-list' commands will show up in the Configuration > Firewall > Access Rules pane once you apply them with the 'access-group' command. Otherwise, you'll see them listed under Configuration > Firewall > Advanced > ACL Manager.

-Mike

Hi Mike,

A question came up with this last night during live testing.  This rule worked great to allow our webserver to be accessible via the internet.  However, we needed another inside to outside NAT rule to allow us out to the internet.   I have noticed that you cannot have two static NAT rules both going from internal to external, even if the parameters for each are different, or if they're associated with an object.  Can you tell me why that is?    I noticed that when I did this, and then pinged the external address for the webserver, the reply came from the address (or pool of addresses) that I had set up for the external surfing rule.  Obviously the two rules are getting mixed up with each other, but I'm having trouble rectifying logically why that is.

I was able to achieve my objective by using the static rule for the webserver and then using a dynamic PAT rule for getting out to surf the internet and access other outside resources.  I am not 100% sure that this is the best long term solution for us.  Are there drawbacks for using PAT address translation indefinately in this way?

Thanks again

Heather

Hi Heather,

Can you share the NAT config that you have? I tested this on my ASA and it worked as expected. I have:

object network obj_any
  subnet 192.168.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

object network server

  host 192.168.1.1

  nat (inside,outside) static 10.1.1.1

With this configuration, I can access the host at 192.168.1.1 from the outside by using 10.1.1.1. Likewise, when 192.168.1.1 goes out it looks like 10.1.1.1. Anyone else in the 192.168.1.0 subnet goes out looking like the outside interface of my ASA.

-Mike

Ok, that is similar to what I was decribing, where you use a static for the web server and then a dynamic for outgoing traffic.  Is that a reasonable long term solution?  I had read that static nats were the way to go, but it seems like using dynamic nats for web surfing traffic is more ideal.

My nat rules are, I think, as follows:

nat (INSIDE,OUTSIDE) source dynamic any interface
!
object network obj-192.168.204.0
nat (INSIDE,OUTSIDE) static xxx.xx204.84 dns

That works fine for what I need, but why can't there be two static NATs assigned to different specific IP addresses or pools going from inside to outside?

Hi Heather,

The reason that the outbound traffic is using the dynamic rule is because it is configured in the manual NAT section. All of the NAT rules in this section will be processed in order before any of the object/auto nat rules take effect.

Your configuration will certainly work fine. However, if you want your web server to use the static rule when it goes out to the Internet, you would want to move the dynamic rule down into the object/auto NAT section like the example I posted above.


Hope that helps.

-Mike

Ok, interesting.  I thought last night I configured two object nats and they did not work.

They may have both been static nats, though.

So you're saying that with this configuration, we can get into the web server as described, but return traffic will be routed dynamically rather than statically?  Are there implications to that?

Hi Heather,

You're absolutely correct. There are no real implications to sticking with the current setup unless you start adding more translations in the future and the manual NAT overlaps and takes precedence. Doing as much as possible in the auto/object NAT section will help you avoid these overlaps in the future and thus simplify the config process for you.

-Mike

Hi Mike,

One more question that has arisen with this:  Would this NAT affect VPN traffic at all?  Perhaps this is a silly question, but we're trying to troubleshoot a VPN setup.  I don't know much about this yet, but I do know that my static rule has been one change since it allegedly "worked".  Now apparently traffic is not getting out or in for that VPN connection.

Hi Heather,

Most of the time you would want to setup an identity NAT rule when your inside hosts talk to the VPN hosts. For example:

VPN subnet: 10.1.1.0/24

VPN terminates on outside interface

Internal subnet: 192.168.1.0/24

object network obj-10.1.1.0

   subnet 10.1.1.0 255.255.255.0

object network obj-192.168.1.0

   subnet 192.168.1.0 255.255.255.0

!

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.1.1.0 obj-10.1.1.0

This will tell the ASA not to translate any traffic passing between your internal subnet and the VPN subnet. If that's not quite what you're looking for, let us know.

Hope that helps.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: