Re: nat outside inside

thorstenn · ‎03-29-2010

hi,

have two external ip ranges. From outside everything is reachable but from inside i cannot reach the external ip. But in some cases this is neccesary. i have an asa 55xx wit the latest os. How can i configure the asa to let internal clients reach the external ip ranges from inside? Do i need a static nat rule for this? Have someone an example for me? Thanks and regards.

acomiskey · ‎03-29-2010

x.x.x.x = external ip

y.y.y.y = internal

same-security-traffic permit intra-interface

static (inside,inside) x.x.x.x y.y.y.y netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

thorstenn · ‎03-29-2010

for asa version 8.3 these commands won`t work i think.

global (inside) 1 interface

nat (inside) 1 0 0

Kureli Sankar · ‎03-29-2010

Old 8.2 and older Dynamic PAT:

nat (inside) 1 0 0 
 global (outside) 1 interface

#################################

New 8.3 dynamic PAT.
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

-KS

Lunzhicheng7 · ‎03-29-2010

I wounder if you can show us more detail ? It's hard to tell where goes wrong without the configuration .

thorstenn · ‎03-29-2010

For example i have an internal server with 172.16.16.10 with a service on port 5467 for an outside ip 188.156.65.100 with the same port. From a host inside the network with the ip 172.16.16.233 i can perform a "telnet 172.16.16.10 5467" session with an answer from the service.

From outside everything fine too. But sometimes there is a need from internal to reach the external ip from INSIDE the lan.

For example, a host with 172.16.16.233 need to telnet the "188.156.65.100 5467" from inside. And here is the problem, theres is no answer from the service. Do you understand what i mean?

Interface config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 188.156.65.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.16.1 255.255.0.0
!

Maybe for interest, if i look in the asa log while i perform a telnet from inside to the outside ip i see this:

4 Mar 30 2010 03:30:50 106563 188.156.65.1 172.16.16.233 Deny icmp src outside:188.156.65.1 dst inside:172.16.16.233 (type 5, code 1) by access-group "global_access" [0x0, 0x0]

2 Mar 30 2010 03:30:50 106556 Deny IP spoof from (188.156.65.1) to 188.156.65.100 on interface outside

Jennifer Halim · ‎03-29-2010

object network obj-188.156.65.100
host 188.156.65.100
nat (inside,inside) static 172.16.16.233

thorstenn · ‎03-29-2010

Ok, for the whole subnet:

object network obj-172.16.16.0
subnet 172.16.16.0 255.255.255.0

object network obj-188.156.65.0
subnet 188.156.65.0 255.255.255.0
nat (inside,inside) static ojb-172.16.16.0

right?

Jennifer Halim · ‎03-29-2010

If you are mapping the subnet, it will be translated sequentially, ie:

188.156.65.1 --> 172.16.16.1

188.156.65.2 --> 172.16.16.2

Since you have already configured specific translation before, you would need to do 1 IP address for whatever mapping you have configured earlier for the (inside,outside) translation.

thorstenn · ‎03-29-2010

Ok i tried it with single nat and not the whole range but it seems not to work for me, here is what i`ve configured now for the adress:

nat (inside,outside) source static 172.16.16.10 188.156.65.100

object network 188.156.65.100
nat (inside,inside) static 172.16.16.10

Lunzhicheng7 · ‎03-29-2010

I'm not quite sure whether I misunderstood the meaning , In the case of your example , since your internal user (172.16.16.233) need to visit a internal server(172.16.16.10) , the traffic seems no need to go through the firewall , two ip address in the same subnet . If you want the internal users see the server as a Nated address , you may need to add one more translation entry "static (inside,inside) 188.156.65.100 172.16.16.10",meanwhile you need to add "same-security-traffic permit intra-interface"

thorstenn · ‎03-30-2010

i have tried this. See my post before.