Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hello,

I have a requirement which I am trying to simulate as below:

[Host1]192.168.15.100------192.168.15.1[in ASA1 out]172.16.151.254------172.16.151.254[out ASA2 in]192.168.200.2------192.168.200.10[Host2]

Both ASAs run 8.2. I can simulate this successfully using 8.3 and twice NAT but upgrade of the production devices is not an option at the moment. SO I need to make it work with 8.2.

ASA1 dual NATs with the following:

ASA1

---------

nat (inside) 5 192.168.15.100

global (outside) 5 interface

static (outside,inside) 172.16.150.39 172.16.151.1 netmask 255.255.255.255

172.16.150.39 being the outside mapped IP. I would then like ASA2 to pick up this "hand-of" IP and send it to Host2 with something like:

ASA2

----------

static (inside,outside) 172.16.151.39 192.168.200.10 netmask 255.255.255.255

ASA1 is fine as on ASA2 I can see both sourec and destination IPs translated. However ASA2 is not doing it the way I imagined it.

Could you tell me what I am missing please?

Thanks

Recep

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

The destination IP address needs to be the NAT IP address 172.16.151.39 because that will be the IP address to which the packet will be headed after passing through ASA1.

The reason why your "packet-tracer" failed is because it didnt match any NAT rule with the above destination IP address but while checking the other direction the ASA noticed it matched the "static" command so it failed in the "rpf-check".

Try using the NAT IP address in the "packet-tracer"

- Jouni

Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

Is there some limitation on the router itself that blocks the management connections from the source address where the connection is coming from?

Or are you perhaps missing some routing for the return traffic on the actual router so the management connections return traffic isnt getting back to the host1 behind ASA1?

- Jouni

8 REPLIES
Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

I am not 100% sure I understood the setup.

To me it seems that the IP address 172.16.150.39 is the NAT IP address to which the host on the ASA1 inside connect to. This destination IP address is then UN-NATed to 172.16.151.1 to which the packet is forwarded to.

However, in the ASA2 NAT configuration there is no mention of this IP address

So it would seem to me that the actual NAT on the ASA2 should be something like this

static (inside,outside) 172.16.151.1 192.168.200.10 netmask 255.255.255.255

The ASA1 will be forwarding the traffic destined to 172.16.150.39 to 172.16.151.1 after the UN-NAT on the ASA1 so I would imagine that IP address should be the NAT IP address on the ASA2.

- Jouni

New Member

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi again,

Reposting due to a couple of errors in my original post:

I have a requirement which I am trying to simulate as can be summarised below:

[Host1]192.168.15.100----192.168.15.1[in ASA1 out]172.16.151.254----172.16.151.254[out ASA2 in]192.168.200.2------192.168.200.10[Host2]

Both ASAs run 8.2. I can simulate this successfully using 8.3 and twice NAT. But upgrade of the production devices is not an option at the moment. So I need to make it work with 8.2.

ASA1 dual NATs with the following:

ASA1

---------

nat (inside) 5 192.168.15.100

global (outside) 5 interface

static (outside,inside) 172.16.150.39 172.16.151.39 netmask 255.255.255.255

172.16.150.39 being the inside the mapped IP and 172.16.151.39 is the outside "hand-off" IP. I would then like ASA2 to pick up the "hand-off" IP 172.16.151.39 and send it to Host2 with something like:

ASA2

----------

static (inside,outside) 172.16.151.39 192.168.200.10 netmask 255.255.255.255

ASA1 is fine as on ASA2 I can see both source and destination IPs translated. However ASA2 is not doing it the way I imagined it.

Could you tell me what I am missing please?

Thanks

Recep

Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

The second posts NAT configurations between the ASAs would seem to match now.

Though the diagram that you have mentioned does seem to list the same IP address twice between ASA1 and ASA2?

What exactly is happening on the ASA2 that you are not expecting?

Have you tried "packet-tracer" on ASA2 to simulate the connection coming to the ASA2 through ASA1?

That should tell if the configuration are correct.

- Jouni

New Member

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi Jouni

Another good spot! The diagram should be like this:

[Host1]192.168.15.100------192.168.15.1[in ASA1 out]172.16.151.254------172.16.151.1[out ASA2 in]192.168.200.2------192.168.200.10[Host2]

What I am hoping to achieve is from host1 I can ping 172.16.150.39 and that again from host1 telnet 172.16.150.39 lands me on host2 (a router and I can already telnet into). But neither is happening.

Packet tracer shows this:

---

Recep

Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

The destination IP address needs to be the NAT IP address 172.16.151.39 because that will be the IP address to which the packet will be headed after passing through ASA1.

The reason why your "packet-tracer" failed is because it didnt match any NAT rule with the above destination IP address but while checking the other direction the ASA noticed it matched the "static" command so it failed in the "rpf-check".

Try using the NAT IP address in the "packet-tracer"

- Jouni

New Member

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi Jouni,

You are right, with the NAT IP as the dest IP in "packet-tracer" the packet is allowed through ASA2.

I still cannot connect from host1 to host2 though.

Regards

Recep

Super Bronze

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi,

Is there some limitation on the router itself that blocks the management connections from the source address where the connection is coming from?

Or are you perhaps missing some routing for the return traffic on the actual router so the management connections return traffic isnt getting back to the host1 behind ASA1?

- Jouni

New Member

Two ASA NAT (8.2) - 1st ASA DUAL-NATs, 2nd ASA Pics up

Hi again Jouni,

A kind of limitation: host2 router had 192.168.200.10 as primary IP but also had a secondary IP address (172.16.151.1) from a previous setup. Once I removed that it worked.

Many thanks for your help.

Regards

Recep

232
Views
0
Helpful
8
Replies
CreatePlease to create content