Solved: Re: NAT for group of objects - how to?

orhan.tagizade · ‎10-04-2010

Hi everyone!

My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.

We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.

We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.

The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses.

All other hosts should use PAT through x.x.x.13.

Thanks a lot in advance.

Rudresh Veerappaji · ‎10-04-2010

Hi Orhan,

I did not quite understand your exact requirement, is the below mentioned requirement? :

y.y.y.146 --------> x.x.x.10

y.y.y.70 --------> .x.x.x.11

If the above is the requirement, you need the following config:

 object network obj-y.y.y.146
   host y.y.y.146 

   nat (inside,outside) static x.x.x.10

 object network obj-y.y.y.70
   host y.y.y.70

   nat (inside,outside) static x.x.x.11

More info on comparision of pre-8.3 nat to 8.3 for your reference: https://cisco-support.hosted.jivesoftware.com/docs/DOC-9129

Let me know if this helps,

Cheers,

Rudresh V

View solution in original post

Namit Agarwal · ‎10-05-2010

Hi ,

Yes we can make the following changes

object network obj-y.y.y.146
  host y.y.y.146
  nat (inside,outside) dynamic x.x.x.10

object network obj-y.y.y.70

host y.y.y.70

nat (inside,outside) dynamic x.x.x.10

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13

We cannot put both the y.y.y.146 and y.y.y.70 under one object. But we can NAT them to the same IP x.x.x.10

Cheers,

Namit

View solution in original post

Namit Agarwal · ‎10-05-2010

Hi ,

Please add the following entry in the ACL on the outside interface and try once again.

access-list outside_access_in extended permit ip host 95.86.133.30 any

access-list outside_access_in extended permit esp host 95.86.133.30 any

access-group outside_access_in in interface outside

Thanks,

Namit

View solution in original post

Namit Agarwal · ‎10-08-2010

Hi,

Please change the following in the config

From

object network mdo0003

nat (inside,outside) static 81.21.95.10

object network mdo0005

nat (inside,outside) static 81.21.95.10

To

object network mdo0003

nat (inside,outside) dynamic 81.21.95.10

object network mdo0005

nat (inside,outside) dynamic 81.21.95.10

Since we want both the IPs to be translated to 81.21.95.10

Let me know if this helps

Thanks,

Namit

View solution in original post

Rudresh Veerappaji · ‎10-04-2010

Hi Orhan,

I did not quite understand your exact requirement, is the below mentioned requirement? :

y.y.y.146 --------> x.x.x.10

y.y.y.70 --------> .x.x.x.11

If the above is the requirement, you need the following config:

 object network obj-y.y.y.146
   host y.y.y.146 

   nat (inside,outside) static x.x.x.10

 object network obj-y.y.y.70
   host y.y.y.70

   nat (inside,outside) static x.x.x.11

More info on comparision of pre-8.3 nat to 8.3 for your reference: https://cisco-support.hosted.jivesoftware.com/docs/DOC-9129

Let me know if this helps,

Cheers,

Rudresh V

Namit Agarwal · ‎10-04-2010

Hi ,

You can configure NAT as follows :

object network obj-x.x.x.10 
   host x.x.x.10 
   nat (inside,outside) static y.y.y.146  
 
 
 object network obj-x.x.x.11 
   host x.x.x.11 
   nat (inside,outside) static y.y.y.70.

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13
Regards,

Namit

orhan.tagizade · ‎10-05-2010

Hi, everyone!

Thank you for your answers.

My idea actually was as follows:

Create a group , consisting of 2 internal hosts y.y.y.146 and y.y.y.70.

Allow this group to use 1 external address ( for example x.x.x.10) through NAT.

Internal hosts will not connect to the internet simultaneously, so I think 1 external address is enough.

May be it can be done using ACL? (not quite sure about this).

Namit Agarwal · ‎10-05-2010

Hi,

So what we are trying to achieve here is

internal host y.y.y.146 > translated to public IP x.x.x.10

internal host y.y.y.70 > translated to public IP x.x.x.11

and other internal hosts translated to public IP x.x.x.13

Please correct me if I am wrong.

Thanks,

Namit

orhan.tagizade · ‎10-05-2010

Hi, Namit!

Yes you are completely right.

Just a quick comment: is it possible to make a group of internal hosts use 1 public ip?

Appreciate your help.

Namit Agarwal · ‎10-05-2010

Hi,

We can definitely do that. We can use the following config

object network obj-y.y.y.0
   subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic x.x.x.10

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13

The first part means the subnet y.y.y.0/24 will be translated to the IP address x.x.x.10

The second part means rest all the traffic will be translated to the IP address x.x.x.13

Cheers,

Namit

orhan.tagizade · ‎10-05-2010

Namit,

thanks for the answer.

We have got only one internal subnet: y.y.y.0/24

I need the following:

host y.y.y.146 and host y.y.y.70 to be included into group and translated into x.x.x.10 or x.x.x.11.

rest of the hosts from y.y.y.0/24 subnet will be translated dynamically to x.x.x.13

orhan.tagizade · ‎10-05-2010

Forgot to add: connection must be initiated only from inside hosts. No

inbound connection from addresses behind the outside interface (exce

pt 1 specific address) should be allowed.

Namit Agarwal · ‎10-05-2010

Hi ,

Yes we can make the following changes

object network obj-y.y.y.146
  host y.y.y.146
  nat (inside,outside) dynamic x.x.x.10

object network obj-y.y.y.70

host y.y.y.70

nat (inside,outside) dynamic x.x.x.10

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic x.x.x.13

We cannot put both the y.y.y.146 and y.y.y.70 under one object. But we can NAT them to the same IP x.x.x.10

Cheers,

Namit

Jerome Daroya · ‎04-19-2011

Hi,

I saw your response below. I have a similar requirement and also running into the same "overlap with existing pool" issue.

My question is, can't we create an object-group network and add the different object networks for the different hosts into the object-group network? Then create a NAT statement for the object-group.

Example.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 64.136.55.62 255.255.255.192

interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.180.4.254 255.255.255.0

object network host1
host 10.182.1.21
object network host2
host 10.182.1.22

object-group network Group_1
network-object object host1
network-object object host1

nat (dmz,outside) source dynamic Group_1 64.136.55.12 <------------------Not the Outside interface IP - we get an error if we do this...

orhan.tagizade · ‎10-05-2010

Thanks for the advise, everything set up as advised and hosts requests are translated correctly.

The problem is, as I described a few days ago in https://supportforums.cisco.com/thread/2044300

There is a Cisco VPN Client installed on both of the hosts (y.y.y.146 and y.y.y.70) and there is a IPsec VPN connection to external host 95.86.133.30 set up.

VPN Client establishes the connection and the a website is opened (you can see topology in thread which I gave link to above) https://172.23.19.5:7777/accr/ in internet explorer. But, unfortunately, IE shows "cannot display the webpage" error. When the connection is done using direct internet connection (using ADSL Modem or by using public IP on the provider switch (again as I have written in the thread referenced above) everything works ok.

Syslog is attached. I think some ACL must be created, but due to lack of knowledge, I cannot determine what rule to create to solve the issue.

Thanks in advance!

Namit Agarwal · ‎10-05-2010

Hi ,

Glad that the NAT worked out fine. Regarding the other problem I see that the other thread is marked as answered. Did you enable NAT-T as suggested there or use a Static IP ?

Thanks,

Namit

orhan.tagizade · ‎10-05-2010

Hey Namit,

Unfortunately, NAT-T is disabled on the other side and taking into account that we are unable to alter the configuration on the PIX Firewall (other side) I used the suggestion which was provided in the other thread to use a static NAT. That was actually the reason I started this thread.

Have you reviewed the syslog I attached to my previous post? Probably, the reason for the whole set up not working (Static NAT works, Cisco VPN client on the client machine is able to connect to the remote PIX, but we are not able to open the website which is behind the PIX firewall) can be seen in the syslog.

As I have written in my previous post I think that some sort of ACL must implemented.

Please advise after you see the syslog.

Many thanks.

Namit Agarwal · ‎10-05-2010

Hi ,

Please add the following entry in the ACL on the outside interface and try once again.

access-list outside_access_in extended permit ip host 95.86.133.30 any

access-list outside_access_in extended permit esp host 95.86.133.30 any

access-group outside_access_in in interface outside

Thanks,

Namit