It is my first post here, so sorry if I'll mess up something.
I have rather simple thing, but I've lost hours trying to implement it on FWSM.
I need to configure NAT on destination IP address only for requests coming from outside.
The packet which will hit the firewall looks like:
It will hit outside interface with security level 20
I want the firewall to translate the DST IP of that packet, so the packet on the inside interface will looks like:
Then the server 10.100.14.10 has route to 10.111/23 and will reply to the firewall, and I expect that the firewall will use it's xlate table to NAT back that packet so it will looks like it originated from 192.168.252.10. Unfortunately no answer from the server (Bs flags)
The static command that you have: static (inside,outside) 192.168.252.10 10.100.14.10
What is saying is that if somebody hits 192.168.252.10 from the outside, the Firewall will translate that IP to 10.100.14.10 and viceversa
Is 10.100.14.10 part of the inside of the Firewall? In other words, is 10.100.14.10 the real IP for the internal device? Can you get out to through the Firewall and get a response if you source the packet from 10.100.14.10?
You mentioned that the FW has a route to 10.111.x.x (where the packet is coming from), but the 10.100.14.10 device has a route to 10.111.x.x pointing to the Firewall?
Yes, I see connections made from 10.100.14.10 on another interfaces. I dont have access to that host to try to source a packet from it.
Yes, the device has a correct route to 10.111.x.x.
What the firewall doesn't have is a correct route to 192.168.252.x. It has a default route.
The 192.168.252.x addresses are used only for NAT (there's no hosts with such IP addresses)
How can I check what is the packet destination IP address after the NAT? Is that info in xlate table? I dont quite understand this info in xlate table:
NAT from inside:192.168.252.10 to outside:192.168.252.10 flags Ii idle 0:00:29 timeout 3:00:00 connections 1
Last question: If the firewall dropped the packet due to routing issue, will I always see syslog message example: "ASA-6-110001: No route to a.a.a.a from b.b.b.b", or that is not the case? I do not see that message in syslog.
I had some sleep, and first thing in the morning removed that line and re-applied it again.
Now I have the correct xlate entry:
NAT from inside:10.100.252.10 to outside:192.168.252.10 flags si idle 0:00:33 timeout 0:01:00 connections 0
Note that the "s" flag is in xlate, compared to I flag, and the IP addresses are correct. Honestly I dont know what I had wrong there, and I'm sure I've tested last night with this config and didn't work.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...