Solved: Re: Source NAT on ASA 9.1

Cristian Iconaru · ‎07-16-2013

Hi guys,

I'm trying to configure NAT on an ASA in the folowing way:

IN 192.168.1.1:443 <- 172.16.1.1:443 OUT - static PAT

IN 192.168.1.13:25 <- 172.16.1.1:25 OUT - static PAT

IN 192.168.1.1, 1.13 -> 172.16.1.1 OUT

IN 192.168.1.0/24 -> 172.16.1.2 OUT - dynamic PAT

how can I map only the 192.168.1.1 and 1.13 to the external ip 172.16.1.1 when they send traffic out?

everything else should go out with 172.16.1.2.

Thanks.

Jouni Forss · ‎07-17-2013

Hi,

If I understood you correctly you want to do the following

Configure 2 Static PAT configurations for SMTP and HTTPS
Configure a Dynamic PAT for outbound traffic for the 2 Static PAT hosts
Configure a default Dynamic PAT rule for all other outbound traffic

I think the following should accomplish this

STATIC PAT

object network STATIC-PAT-HTTPS

host 192.168.1.1

nat (inside,outside) static 172.16.1.1 service tcp https https

object network STATIC-PAT-SMTP

host 192.168.1.13

nat (inside,outside) static 172.16.1.1 service tcp smtp smtp

SERVER DYNAMIC PAT

object-group network SERVERS-PAT-SOURCE

network-object host 192.168.1.1

network-object host 192.168.1.13

object network SERVER-PAT

host 172.16.1.1

nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT

DEFAULT DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

object network DEFAULT-PAT

host 172.16.1.2

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT

Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.

Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations

Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎07-17-2013

Hi,

If I understood you correctly you want to do the following

Configure 2 Static PAT configurations for SMTP and HTTPS
Configure a Dynamic PAT for outbound traffic for the 2 Static PAT hosts
Configure a default Dynamic PAT rule for all other outbound traffic

I think the following should accomplish this

STATIC PAT

object network STATIC-PAT-HTTPS

host 192.168.1.1

nat (inside,outside) static 172.16.1.1 service tcp https https

object network STATIC-PAT-SMTP

host 192.168.1.13

nat (inside,outside) static 172.16.1.1 service tcp smtp smtp

SERVER DYNAMIC PAT

object-group network SERVERS-PAT-SOURCE

network-object host 192.168.1.1

network-object host 192.168.1.13

object network SERVER-PAT

host 172.16.1.1

nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT

DEFAULT DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

object network DEFAULT-PAT

host 172.16.1.2

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT

Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.

Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations

Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Cristian Iconaru · ‎07-17-2013

Hi Jouni,

thanks for the reply.

it works great.

Thanks.

Cristian Iconaru · ‎07-17-2013

Hi Jouni,

short question.

how can I integrate the NAT exemption rules for VPN traffic?

if I run a packet tracer, with the regular NAT exemption and the section 3 rules, the packet will be dropped.

eg: nat (inside,outside) source static LAN LAN destination static VPN VPN -> this will end up in Section 1/Manual NAT and will not be matched.

LAN: 192.168.1.0

Thanks.

Jouni Forss · ‎07-17-2013

Hi,

I am not quite sure I follow you.

Are you saying that you have some NAT Exempt rule for VPN traffic and its not getting matched at all?

Could you share the "packet-tracer" command you used and the NAT Exempt configuration with the object configurations included.

- Jouni

Cristian Iconaru · ‎07-17-2013

my bad .

previously I modified the object to another range.

it works as expected.

Thanks again.