cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5312
Views
0
Helpful
9
Replies

NAT ASA destination address

dbowley
Level 1
Level 1

Hi

I am using a ASA 5540 running version 7.2(3) and would like to pass all http and https requests coming from the inside of the ASA to an external proxy server on the internet (All request need to pass to port 8080). I've tried using static commands but can only seem to NAT on the inside source address and not the destination address. Have also tried the same using dynamic NAT but again can only NAT on the source address.

Is there a way of NATing the destination address when coming from the inside of firewall?

Alternatively, if anyone can suggest another way of diverting http requests to a proxy server on the internet that would be appreciated.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

static (outside,inside) 195.167.17.1 195.167.17.1 netmask 255.255.255.255

Or if you want to present the external address as an internal address

static (outside,inside) 192.168.5.1 195.167.17.1 netmask 255.255.255.255

where 192.168.5.1 is your internal address.

Jon

All internal users come from a private address range 10.10.10.x/24 and could potentially try to access any web page on the internet, but the destination needs to be natted to a proxy server address on the internet to process the web request.

I do not have a pix/asa handy so i can't tell you whether this will work. You would need to test it - i have my doubts.

access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq http

access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq https

static (outside,inside) 195.167.17.1 access-list PNAT

Could you not do as Colin suggests and just modify the browser settings - think this would be a lot easier.

Jon

I've tried the above configuration and no success.

Would like to modify the browser settings, but have over 200 users and the department that rolls out our group policies for windows is having issues updating the browsers.

To get the nat changed by destination would be good.

You can try:

static (inside,outside) tcp public ip 8080 10.10.10.0 8080 netmask 255.255.255.0

OR

static (inside,outside) tcp 8080 10.10.10.0 80 netmask 255.255.255.0

I'm wondering if the browser is going out default 80 and you have to translate out to 8080.

--John

HTH, John *** Please rate all useful posts ***

I've tried this configuration and get an error message that global address overlaps with mask. Does anyone have any other suggestions?

Ideally I'd like to put in the following configuration:

access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 80

access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 443

static (outside,inside) access-list PROXY_NAT

Syntax-wide this isn't possible, but I hope it describes a little more clearly what I'm trying to do.

Collin Clark
VIP Alumni
VIP Alumni

Could you set the browser settings for the proxy?

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).

For example, my Cisco ASA 5505 took gave no errors when I entered the following:


Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105

Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.

However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.

Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"

In my experience, it is, however, possible to map/translate more than one "real" IP addresses to one mapped/translated IP address using dynamic policy NAT.  So for example, the following was accepted by my ASA with no errors.

Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnat

global (outside) 2 192.168.1.253

If anyone knows how to translate or map multiple IP addresses to a single IP address using static policy NAT, please do share.

Best Regards,

David

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: