Solved: NAt inside to inside interface

MarcinChameleon · ‎12-28-2011

Hi All,

A bit of problem with NATting - ASA 5500 ASDM 6.2.

I have 3 interfaces: ouside, inside, inside1. Outside routes to inside interface, where both interfaces are on public IPs, so no nat control.

The new inside1 interface I want to be on oriv network 10.100.10.0/24. Now I want to NAT public IP from inside interaface to priv IP on inside2.

Basically NATTing must occur between inside and inside2 - on priv IP there is web server.

Can I do somehow without nat enabling command? I just need NAT for few IPs.

TIA for any help.

Marcin

andrew.prince · ‎12-29-2011

if you want the device to be available from the outside - you need to:-

1) Allow access via an access-list - as the outside is security 0 and Inside1 is security 100

2) You need to have a NAT in place - you could peform PAT on the outside - of try and use the same NAT IP as the inside so something like

static (Inside1,outside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

View solution in original post

andrew.prince · ‎12-28-2011

afaik and can remember the nat control is only required when you are going from a higher security interface to a lower security interface. Without nat control - you still should be able to configure a translation between two interfaces with the same security level?

Sent from Cisco Technical Support iPad App

andrew.prince · ‎12-28-2011

Just double checked an old config - and you can still configure NAT in the normal way even with nat-control turned off.

MarcinChameleon · ‎12-28-2011

Hi, thanks for reply.

I can confirm both inside interafces are on 100 security level. I want simple 1 to 1 IP translation.

So should I go like that:config #static (inside,inside1) ip_of_inside1 ip_of_inside netmask 255.2552.255.255???

Does it make any difference, if inside interface is on vlan, and inside1 interface is on native?

andrew.prince · ‎12-28-2011

yes that should work, and the vlan to native should be ok

Sent from Cisco Technical Support iPad App

MarcinChameleon · ‎12-28-2011

Hi,

I did that. I cannot browse to web on server on inside1 or I cannot browse internet being on that server.

Any ideas?

TIA

andrew.prince · ‎12-28-2011

what are you actually trying to do, do you want the server on inside 1 to have an ip address in the same range of the inside?

Sent from Cisco Technical Support iPad App

MarcinChameleon · ‎12-29-2011

Hi,

Outside int is on public /30 network and routes to inside also public network /27 network.

Now, inside1 interface is on 10.100.10.0/24 priv network range. (as I mentioned before inside and inside1 are both on security 100)

So I want NAT only few IPs from inside (/27) to priv range on inside1.

Should this be doable?

andrew.prince · ‎12-29-2011

So you have configured your nat - but it is not working. Did you configure the setting to allow traffic from 2 interfaces with the same security level??

same-security-traffic permit inter-interface

?

MarcinChameleon · ‎12-29-2011

Yes,

I have:

same-security-traffic permit inter-interface...and

same-security-traffic permit intra-interface

andrew.prince · ‎12-29-2011

Post your NAT & Interface Config

MarcinChameleon · ‎12-29-2011

Here we go:

interface Ethernet0/0.21

description inside

nameif Inside

security-level 100

ip address 83.89.38.193 255.255.255.192

!

interface Ethernet0/0.23

description outside

nameif Outside

security-level 0

ip address 83.89.92.46 255.255.255.252

!

interface Ethernet0/1

description For NATting

nameif inside1

security-level 100

ip address 10.100.10.1 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Inside1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 83.89.38.193 255.255.255.192 host 10.100.10.2

access-list Inside1_access_in extended permit ip any host 10.100.10.2

static (Inside,Inside1) 10.100.10.2 83.89.92.250

netmask 255.255.255.255 dns

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 dns

route Outside 0.0.0.0 0.0.0.0 83.89.92.45 1

service-policy global_policy global

andrew.prince · ‎12-29-2011

Remove

static (Inside,Inside1) 10.100.10.2 83.89.92.250 netmask 255.255.255.255 dns

The correct NAT is

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255

MarcinChameleon · ‎12-29-2011

Hi,

Thanks for that but no luck. I even tried to ping from server on inside net to server with IP 10.100.10.2 - no luck, and from inside net server I cannot even ping interface IP of 10.100.10.1

Of course I can ping from 10.100.10.2 to 10.100.10.1, this seems to be fine.

After applying this:

static (Inside1,Inside) 83.89.92.250 10.100.10.2 netmask 255.255.255.255 - on ASDM it appears as inside1 is original source and inside as translated. I am assuming that's correct.

But, still doesn't work.

MarcinChameleon · ‎12-29-2011

There is some joy!

I can ping from servers on inside to inside1 pinging

83.89.92.250

NAT is working because I delete rule I could not ping , created NAT rule again and was working

But still cannot browse to 83.89.92.250 aka 10.100.10.2 from outside. ON outside int access rules allow any trafic on port 80 to any on inside int. Do you think I should allow to inside1 as well, or with NATting this should not be necesary?