Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Trickery on ASA 9.1

Hi,

I am configuring a pair of 5525X's running 9.1, migrating from some 5520's running 8.2.5, so the NAT portion obviously going to be different.

Topology is straight forward.  4 interfaces, Inside, Outside, DMZ1 and DMZ2.  For some reason, all 3 internal segments (Inside, DMZ1 and DMZ2) host public services, so NAT translations exist to support this.

Due to some poor decisions made in the past, some applications on the Inside segment access DMZ services using public addresses, while others use the private addresses.  I was able to work around this in version 8.2 and earlier with Static Policy NAT, such that internal hosts can access DMZ servers on either the public or private addresses. 

I think I figured this out for version 9.1 as well, but would like some verification before I deploy and find a gotcha or caveat that didn't show up during testing.

Here's a sanitized version of the config...hopefully the object group names are self explanatory.

nat (any,any) source static any any destination static All_DMZ_Subnets All_DMZ_Subnets no-proxy-arp

!

nat (any,any) source static any any destination static All_Internal_Subnets All_Internal_Subnets no-proxy-arp

!

object network smtp.example.com_dmz1

nat (DMZ1,any) static smtp.example.com_public

!

object network extranet.example.com_dmz2

nat (DMZ2,any) static extranet.example.com_public

!

object network ftp.example.com_inside

nat (inside,any) static ftp.example.com_public

Before inserting the NAT statements at the beginning, inside hosts could only use the public addresses. Alternatively, if I use nat (DMZ1,outside) under each object, then inside hosts can only use the private addresses.

So is this correct?

Everyone's tags (2)
2 REPLIES
Super Bronze

NAT Trickery on ASA 9.1

Hi,

I am not sure what the 2 first NAT configurations are for?

nat (any,any) source static any any destination static All_DMZ_Subnets All_DMZ_Subnets no-proxy-arp

nat (any,any) source static any any destination static All_Internal_Subnets All_Internal_Subnets no-proxy-arp

I would personally avoid using NAT configurations that use "any" parameter. They can result in unexpected or problematic behaviour with traffic forwarding.

But could you first explain what these would be used for?

With regards to the Auto NAT / Network Object NAT configurations,

Having the destination interface set as "any" means that the translation will be done towards all other interfaces

Having the destination interface set to some specific interface on the ASA means naturally that the translation will only happen towards that interface.

Naturally if you can build the configuration you need to implement in the old 8.2 (and below) format then I can take a look what kind of configuration you would need with the new NAT configuration format.

- Jouni

New Member

NAT Trickery on ASA 9.1

The conundrum is that for one reason or another (the validity of these reasons is not in scope for this discussion), we need to be able to reach DMZ systems via either their public or private addresses.

In version 8.2 and earlier, I used Static Policy NAT.

All names and addresses are made up, example only.

10.0.0.100 = private address of the SMTP server.

172.16.255.100 = public address of the SMTP server

192.168.0.0/16 = inside subnet

access-list outside_nat_dmz1_smtp extended permit ip host 10.0.0.100 any

!

static (DMZ1,outside) 172.16.255.100 access-list outside_nat_dmz1_smtp

!

static (DMZ1,inside) 172.16.255.100 access-list outside_nat_dmz1_smtp

!

The portion above allowed both the inside and outside networks to access the SMTP server via the public address.

The portion below allows the inside network to ALSO use the private address...

static (DMZ1,inside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

!

static (inside,DMZ1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

!

With the config above, inside hosts can access the DMZ1 systems on either the private or public address.

In 8.3 and later (9.1 on our new hardware), if I do this...

object network smtp.example.com_dmz1

nat (DMZ1,outside) static smtp.example.com_public

!

...inside hosts must use the private address.

If I do this...

object network smtp.example.com_dmz1

nat (DMZ1,any) static smtp.example.com_public

!

...inside hosts must use the public address.

In testing, it appears that adding this line before object NAT seems to allow either to work...

nat (any,any) source static any any destination static All_DMZ_Subnets All_DMZ_Subnets no-proxy-arp

!

object network smtp.example.com_dmz1

nat (DMZ1,any) static smtp.example.com_public

!

Adding this one does the same thing for the internal machines that are hosting public services...

nat (any,any) source static any any destination static All_DMZ_Subnets All_DMZ_Subnets no-proxy-arp

!

Besides the (any,any) issue, what gotcha's might I run into?  This seems to work in test, but it just seems weird.

1466
Views
0
Helpful
2
Replies
CreatePlease login to create content