Outside NAT source IP inside IP ver 8.4

tahequivoice · ‎12-09-2011

I need to have the response from a server to reply to a second ASA. We have a firewall for voice traffic, that only has a few routes pointing to it, the default route for the network is out another device. This would be simple if I could change the gateway on the server to be the ASA, but since there are networks internally that would respond directly to the server, the ASA would drop the replies.

I did this on an 8.2 code ASA, but cant figure out how to do it on 8.4.

access-list Outside-Web-Nat extended permit icmp any host x.x.x.x

access-list Outside-Web-Nat extended permit tcp any host x.x.x.x eq https

global (inside) 2 interface

nat (outside) 2 access-list Outside-Web-Nat outside

What do I do on 8.4 to make this work so outside requests from a public IP will be seen as the inside IP of the ASA?

tahequivoice · ‎12-09-2011

How do I do this with the inside interface as the source IP seen by the server?

Outside NAT

 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255

 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

varrao · ‎12-09-2011

Hi,

You can try this:

object network obj-10.1.2.27
   host 10.1.2.27
  
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

object network obj-10.1.1.5
host 10.1.1.5

nat (dmz,inside) source dynamic obj-10.1.1.0 obj-10.1.2.30-10.1.2.40 
destination static obj-10.1.1.5 obj-10.1.2.7

One statement would do it all for you.

Hope that helps.

Thanks,
Varun

Thanks,
Varun Rao

tahequivoice · ‎12-09-2011

That doesn't work. The setup I am looking for that does work with pre 8.3 nats the inside interface to all incoming packets destined to one server so the server see's the IP of the firewall, not the public IP so it can respond, otherwise the public IP seen by the server will route out its default gateway instead of the ASA, and in this case it gets dropped since the router for their default has no nat configured.

I tried to use that example above, utilizing the interface IP, not a pool, and it errored.

So if I am 8.8.8.8 and want to get to port 443 on that server, the server needs to see the ASA IP 10.1.1.1 and not 8.8.8.8. Works perfect on 8.2.

access-list Outside-Web-Nat extended permit icmp any host x.x.x.x

access-list Outside-Web-Nat extended permit tcp any host x.x.x.x eq https

global (inside) 2 interface

nat (outside) 2 access-list Outside-Web-Nat outside

varrao · ‎12-09-2011

Lets just take an example:

your server public ip - 1.1.1.1

server private ip - 10.1.1.1

Then we woudl need

object network public_ip

host 1.1.1.1

object network private_ip

10.1.1.1

nat (outside,inside) source dynamic any interface destination static public_ip private_ip

access-list outside_in permit ip any host 10.1.1.1 (to allow traffic on outside interafce)

I have done this before and it works fine.

Thanks,

Varun

Thanks,
Varun Rao

tahequivoice · ‎12-09-2011

Thanks, I opened a TAC case on this. I can't experiment on this since it could affect their voice traffic.

dkraut · ‎06-22-2012

Hi Varun, old thread, but I was hoping you'd receive a notification if I replied. Your example above worked for me, but now I'm wondering what accomplishes the same mapping, but allows the response to appear to have come from the external Client? I'd like to know what exactly changes the NAT command in 8.4 to SNAT vs. No SNAT?

SNAT = nat (outside,inside) source dynamic any interface destination static public_ip private_ip

No SNAT = ?