12-09-2011 09:01 AM - edited 03-11-2019 03:01 PM
I need to have the response from a server to reply to a second ASA. We have a firewall for voice traffic, that only has a few routes pointing to it, the default route for the network is out another device. This would be simple if I could change the gateway on the server to be the ASA, but since there are networks internally that would respond directly to the server, the ASA would drop the replies.
I did this on an 8.2 code ASA, but cant figure out how to do it on 8.4.
access-list Outside-Web-Nat extended permit icmp any host x.x.x.x
access-list Outside-Web-Nat extended permit tcp any host x.x.x.x eq https
global (inside) 2 interface
nat (outside) 2 access-list Outside-Web-Nat outside
What do I do on 8.4 to make this work so outside requests from a public IP will be seen as the inside IP of the ASA?
12-09-2011 10:38 AM
How do I do this with the inside interface as the source IP seen by the server?
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0 outside
static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
object network obj-10.1.2.27
host 10.1.2.27
nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
range 10.1.2.30 10.1.2.40
12-09-2011 11:15 AM
Hi,
You can try this:
object network obj-10.1.2.27
host 10.1.2.27
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network obj-10.1.2.30-10.1.2.40
range 10.1.2.30 10.1.2.40
object network obj-10.1.1.5
host 10.1.1.5
nat (dmz,inside) source dynamic obj-10.1.1.0 obj-10.1.2.30-10.1.2.40
destination static obj-10.1.1.5 obj-10.1.2.7
One statement would do it all for you.
Hope that helps.
Thanks,
Varun
12-09-2011 11:25 AM
That doesn't work. The setup I am looking for that does work with pre 8.3 nats the inside interface to all incoming packets destined to one server so the server see's the IP of the firewall, not the public IP so it can respond, otherwise the public IP seen by the server will route out its default gateway instead of the ASA, and in this case it gets dropped since the router for their default has no nat configured.
I tried to use that example above, utilizing the interface IP, not a pool, and it errored.
So if I am 8.8.8.8 and want to get to port 443 on that server, the server needs to see the ASA IP 10.1.1.1 and not 8.8.8.8. Works perfect on 8.2.
access-list Outside-Web-Nat extended permit icmp any host x.x.x.x
access-list Outside-Web-Nat extended permit tcp any host x.x.x.x eq https
global (inside) 2 interface
nat (outside) 2 access-list Outside-Web-Nat outside
12-09-2011 11:33 AM
Lets just take an example:
your server public ip - 1.1.1.1
server private ip - 10.1.1.1
Then we woudl need
object network public_ip
host 1.1.1.1
object network private_ip
10.1.1.1
nat (outside,inside) source dynamic any interface destination static public_ip private_ip
access-list outside_in permit ip any host 10.1.1.1 (to allow traffic on outside interafce)
I have done this before and it works fine.
Thanks,
Varun
12-09-2011 11:36 AM
Thanks, I opened a TAC case on this. I can't experiment on this since it could affect their voice traffic.
06-22-2012 02:34 PM
Hi Varun, old thread, but I was hoping you'd receive a notification if I replied. Your example above worked for me, but now I'm wondering what accomplishes the same mapping, but allows the response to appear to have come from the external Client? I'd like to know what exactly changes the NAT command in 8.4 to SNAT vs. No SNAT?
SNAT = nat (outside,inside) source dynamic any interface destination static public_ip private_ip
No SNAT = ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: