NAT quistion

rexpetersen · ‎03-15-2012

Hi

Hope someone can help me with the following problem.

I have an ASA 5510 that looks like this:

INTERFACE 0: DHCP (OUTSIDE)

INTERFACE 1: 10.45.0.1 255.255.255.0

INTERFACE 2: 192.168.0.1 255.255.255.0

I need to access the net (10.45.0.0 255.255.255.0) on INTERFACE 1 from all IP addresses (192.168.0.1 255.255.255.0) on INTERFACE 2

But all INTERFACE 2 addresses shall be translated to one single address (10.45.0.15) at INTERFACE 1

How can I do that ?

Thanks

Rex

rizwanr74 · ‎03-15-2012

What version of your ASA ?

rexpetersen · ‎03-15-2012

8.03

rizwanr74 · ‎03-15-2012

I am not so sure of your interface names on your FW.

but I could assume as follows, in case they are not setup on your FW, please change those are in brakets (i.e. interface names) to reflect your ASA interface names.

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

INTERFACE 2: assumed security level less than 100.

INTERFACE 1: assumed security level equal to 100.

I hope this helps.

Thanks

Rizwan Rafeek.

rexpetersen · ‎03-16-2012

rizwanr74

The way you suggest nat 1 to 1 a.a.a.1 vil translatet to b.b.b.1 , a.a.a.2 translatet to b.b.b.2

The way I wan is that entire a.a.a.a network wil be translatet to one single b.b.b.b address. Like PAT.

Best regards

Rex

rizwanr74 · ‎03-16-2012

dmz = INTERFACE 1:

inside = INTERFACE 2:

access−list policy−nat extended permit ip 192.168.0.0 255.255.255.0 10.45.0.0 255.255.255.0

global (dmz) 45 10.45.0.15
nat (inside) 45 access-list policy−nat

Let me know, if this helps.

thanks

rexpetersen · ‎03-19-2012

Hi

Back on work after a great weekend :-)

OK i get the idea to make a virtual interface.

I have now implementet it, but somehow I can't get the access-list triggered ??

Even if it try for at short test to put in: ANY ANY ... nothing triggers the access-list.

Best regards

Rex

alalli · ‎03-19-2012

Hi Rex,

I think that the access-list for nat is too restrictive....

try

access−list policy−nat extended permit ip 192.168.0.0 255.255.255.0 any

Regards

Amanda

rexpetersen · ‎03-19-2012

Hi Amanda

Same problem ... no hits on the access-list.

Here my setup:

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.154 255.255.255.240

interface Ethernet0/1.40
vlan 123
nameif KUNDENET
security-level 60

ip address 192.168.123.1 255.255.255.0

interface Ethernet0/1.60
vlan 130
nameif SAS_LAN_10
security-level 55
ip address 10.45.0.1 255.255.248.0

access-list policy-nat extended permit ip 10.45.0.0 255.255.248.0 192.168.123.0 255.255.255.0

global (KUNDENET) 45 192.168.123.121
nat (SAS_LAN_10) 45 access-list policy-nat

global (OUTSIDE) 1 interface
global (KUNDENET) 45 192.168.123.121

nat (SAS_LAN_10) 0 access-list NO_NAT
nat (SAS_LAN_10) 45 access-list policy-nat
nat (SAS_LAN_10) 1 10.45.0.0 255.255.248.0

nat (KUNDENET) 0 access-list NO_NAT
nat (KUNDENET) 1 192.168.123.0 255.255.255.0

The NO_NAT's are for some VPN tunnels

// Rex

rizwanr74 · ‎03-19-2012

You need an ACL permit entry to enter high security(KUNDENET) zone interface from lower security (SAS_LAN_10)

zone interface.

access−list kundenet-in extended permit ip 10.45.0.0 255.255.248.0 192.168.123.0 255.255.255.0

access-group kundenet-in in interface KUNDENET

let me know, if that helps.

thanks

Rizwan Rafeek

alalli · ‎03-20-2012

Hi Rex

Try a couple of things for me please.

Use the show nat command to see what NAT will be applied to the various interfaces and try setting the SAS_LAN_10 interface security level to 60.

Use the same-security-traffic permit inter-interface command.

The nat works by letting traffic from a protected interface go to a less protected or same level interface (with the command above).

Thanks very much

Regards,

Amanda Lalli-Cafini