Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
8
Replies

NAT Across 2 ASA Firwall 9.7

Anh Ngo
Level 1
Level 1

‎12-02-2017 01:38 AM - edited ‎03-05-2019 09:34 AM

Hello Experts, 

I'm stucking with the task of tonight.

I have a topology like this:

                                                                         (.2)                    (.3)

                                                                      SERVER2         SERVER3

                                                                           I                         I

                                                                           I     1.1.1.0/8      I

                                                                          V                        V

                                                                     --S--W---I---T--C--H---

                                                                                      I

                                                                                      I   (DMZ)             

         10.11.10.0/27                 192.168.1.0/24             V  1.1.1.1/8        123.1.1.0/24

Sever1 ----------> ASA1 (9.7) ---------------> ASA2 (9.7)  ---------------> Internet

      .1                     .2              .2              (INSIDE)    .1                 .1

 

So how can I nat my Server to the internet? Thank you so much.

 

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎12-02-2017 05:02 AM

On ASA2 you do the NAT for the real IP:

object network SERVER
 host 10.11.10.1
 nat (inside, outside) static X.X.X.X

And you need a route to the inside subnet:

route inside 10.11.10.0 255.255.255.224 192.168.1.2
0 Helpful

Anh Ngo
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2017 09:27 AM

Hello Karsten,

Thank you so much for your quick response!

I tried to apply your suggestion but it did not work. That is my mistake because I did not give you full topology first.

Actually my ASA2 did NAT DMZ include 2 servers (Server2 &Server3) and they can access the internet. So at the moment my desire is all 3 servers (Server1, Server2 and Server3) CAN access to the internet. Thank you so much, again.

My code for natting server2 and server3.

object network SERVER2

host 1.1.1.2

nat (dmz,outside) static 123.1.1.2

 

object network SERVER3

host 1.1.1.3

nat (dmz,outside) static 123.1.1.3

0 Helpful

Anh Ngo
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2017 10:41 AM - edited ‎12-02-2017 10:44 AM

I've just updated the new topology as above. Please kindly urgent help. Thanks all!

0 Helpful

Karsten Iwen
VIP
VIP
In response to Anh Ngo

‎12-02-2017 12:53 PM

If it's urgent, call Cisco TAC. This is community support which is done by volunteers in their spare time ...

 

Back to your scenario: The NAT for the third server should work the same way as with the two devices in the DMZ. You have to make sure that the correct interface is used and the left ASA should not do any NAT on this traffic and also has to allow this traffic.

0 Helpful

Anh Ngo
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2017 06:58 PM - edited ‎12-02-2017 09:23 PM

Hello Karsten,

Oh Thank Karsten! I've just called TAC, it seems to be a good channel and I will try in some day :)

At that time my Eng is not good enough to describe my issue that Im getting.

 

 Back to my issue:

My ASA2 has port 1/1 go to the internet,

                      port 1/2 connecting the left 

                      port 1/3 connects to the switch

From ASA2 I can ping to all Server and I tried to use same way that I did with SERVER2 and SERVER3 to apply to SERVER1 but it still does not work.

(Working)

object network Server2

host 1.1.1.2

nat (dmz,outside) static 123.1.1.2 

 

object network Server3

host 1.1.1.3

nat (dmz,outside) static 123.1.1.3 

 

(Not working)

object network Server1

host 10.11.10.1

nat (inside,outside) static 123.1.1.1

 

Please help me to clarify what is wrong here?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Anh Ngo

‎12-03-2017 01:47 AM - edited ‎12-03-2017 01:56 AM

If you can ping Server1 from ASA2 then the routing is in place. You need to find out if ASA2 or ASA1 is blocking the traffic. For that do a packet-tracer on ASA2:

packet-tracer input outside tcp 1.2.3.4 1234 123.1.1.1 443

I assumed the server should be reachable through HTTS, change the port to whatever you need. In the output you should see that the traffic is not only allowed, but also that it's public IP gets untranslated to the private IP and that ASA2 sees the interface inside as output interface.

Then repeat that on ASA1, but this time use the private IP destination:

packet-tracer input outside tcp 1.2.3.4 1234 10.11.10.1 443

Again, it should be allowed, no NAT should be done and the traffic should have an output interface of inside.

PAT is nothing that would help here.

0 Helpful

Anh Ngo
Level 1
Level 1
In response to Karsten Iwen

‎12-13-2017 12:09 AM

Hello Karsten Iwen,

I'm sorry my late response. I've just got back from the hospital and got the new issue with ASA 5508 and its rusher than the issue we're getting here.

I promise I will back this issue after the new rush issue is resolve.

I posted my new issue here, please kindly help. Thank you so so much! 

https://supportforums.cisco.com/t5/other-network-infrastructure/cli-access-rule-to-access-web-server-throuhg-asa/m-p/3231346#M193768

 

 

0 Helpful

Anh Ngo
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2017 09:24 PM - edited ‎12-02-2017 09:25 PM

Do you think I should use PAT for that case?
Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card