03-30-2010 03:29 AM - edited 03-04-2019 07:58 AM
Hi, I have one ASA which is connected with point-2-point link of one vendor (10.8.8.0/24). My internal network range is 10.40.71.0/24, 10.80.71.0/24,10.81.71.0/24, 10.50.71.0/24 & 10.45.71.0/24.
My motto is I want to hide my internal network and it should be replaced with 172.19.x.0/24 subnet before leaving my ASA. I have configured one policy for 10.40.71.0/24 subnet. Now I have two questions.
1. Below configuration will work? If Vendor will hit on 172.19.194.14, will it routed to my internal server 10.40.71.14?
2. How I have to work for rest subnet? I have to create other new NAT subnet like 172.19.195.x, 172.19.196.x ..?
My current confi is --
name 172.19.194.0 AH_IRV_NAT
access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
static (inside,outside) AH_IRV_NAT access-list inside_IRV
03-30-2010 03:47 AM
The ASA should handle this as PAT addressing, the only thing you need to do is add your other internal networks to the access list.
HTH>
03-30-2010 04:28 AM
You mean, I have to do the conf as below-
name 172.19.194.0 AH_IRV_NAT
access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0
static (inside,outside) AH_IRV_NAT access-list inside_IRV
Now I have one confusion. If Vendor will hit 172.19.194.15 IP, then it will route to which interal IP ?
03-30-2010 04:34 AM
The config is correct.
The ASA has an internal Translation table - is tracks the use of internal/external IP addresses. For each translation that takes place the ASA will put and entry into the table.
Each connection has a specific ephemeral internal port used for reference and tracking on source & desintation NAT IP address.
You can view this table @ the cli in enable mode type "show xlate"
HTH>
03-30-2010 04:38 AM
Agreed. My question is, My call server IP is 10.81.71.15 & I have opned 10.40.71.0,10.80.71.0 & 10.81.71.0. So If Vendor will hit 172.19.194.15, how it will reach 10.81.71.15? It can also hit 10.40.71.15 & 10.80.71.15..
This is the only confusion for me? What you suggest?
03-30-2010 04:45 AM
As I said the ASA has a NAT translation table - source and IP address in the NAT table are logged and tracked.
The ASA has a statefull firewall connection table - on ALL incoming/outgoing connections thru the decvice. The ASA will track all connections and make sure the traffic reaches the correct host.
03-30-2010 04:53 AM
The problem is, Vendor will initiate the connection for our Call server. We have allowed three subnet in a single ACL, so if Vendor will hit our call server, on which internal IP it will routed?
03-30-2010 04:57 AM
If you want anyone on the outside to connect specifically to your call server - you either create a specific PAT translation based on desintation port (the specific port or ports your call server is listening one) or you create a specific 1:1 nat for that internal server.
I would create a pool of addreses for all other hosts, and a specific static translation for the call server.
03-30-2010 05:01 AM
Got.
03-30-2010 12:05 PM
If the vendor hits 172.19.194.15, which one of the subnets does it translate to by default, if PAT isn't configured?
03-30-2010 01:57 PM
Which ever internal server initiated the connection to the vendor.
If no connection exists, the connection will not pass thru.
BASIC NAT - if no outbound connection has been made, no return/initiated traffic will be permited. The exception to this rule is when there is a static PAT or static NAT, no initial outbound connection is required.
HTH>
Andrew.
04-01-2010 09:14 AM
He's using a policy-based NAT though, both sides can trigger the NAT policy (doesn't have to initiate from inside, and don't need static NAT or PAT).
If he only had one entry:
name 172.19.194.0 AH_IRV_NAT
access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
static (inside,outside) AH_IRV_NAT access-list inside_IRV
This basically says that anything coming from 10.40.71.0/24 going to 10.8.8.0/24 - rewrite the source to 172.19.194.0/24. The same is true if the traffic sources from the outside - anything coming from10.8.8.0/24 going specifically to 172.19.194.0/24 would translate 1-to-1 to the whole 10.40.71.0/24 range (194.15 would become 71.15, 194.101 would become 71.101, etc.). We used to do this all the time without any problems.
The confusion comes from when adding additional entries into an existing NAT rule - what happens if there isn't a static entry configured?
name 172.19.194.0 AH_IRV_NAT
access-list inside_IRV extended permit ip 10.40.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.80.71.0 255.255.255.0 10.8.8.0 255.255.255.0
access-list inside_IRV extended permit ip 10.81.71.0 255.255.255.0 10.8.8.0 255.255.255.0
static (inside,outside) AH_IRV_NAT access-list inside_IRV
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: